Add AWS anonymous access when reading/writing binary cache to AWS S3. #434
Conversation
AenBleidd
force-pushed
the
vko_add_aws_s3_anonymous_support
branch
from
f92d3f5
to
33f8b29
Compare
|
I'm a bit nervous to make a change like this without an understanding of AWS's security model. Can you describe the potential threats to which a user is exposed if they pass this option? |
|
User should enable anonymous access to the bucket manually and set exactly what can be done. For example, I set that anyone can list files in the bucket and download any file. But only authorized users (that are chosen manually) can write objects to the file. In common case, if user set this option in vcpkg without properly configure AWS bucket to enable anonymous access - nothing will be enabled by default. So this is completely safe option by default. |
AenBleidd
force-pushed
the
vko_add_aws_s3_anonymous_support
branch
2 times, most recently
from
dce1c92
to
09d2446
Compare
Sometimes it's essential to be able to read/write binary cache to AWS S3 anonymously (mostly read, I assume). AWS cli tool requires to be run with --no-sign-request option to get anonymous access. This PR adds new 'x-aws-config' option to configure AWS anonymous access. Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
AenBleidd
force-pushed
the
vko_add_aws_s3_anonymous_support
branch
from
09d2446
to
b7a7a1c
Compare
|
Twitter Driven Development also indicates that this isn't scary: https://twitter.com/sarbjeetjohal/status/1504727772958113797 Thanks for your contribution! |
|
@BillyONeal, thank you! |
Sometimes it's essential to be able to read/write binary cache to AWS S3 anonymously (mostly read, I assume).
AWS cli tool requires to be run with --no-sign-request option to get anonymous access.
This PR adds new 'x-aws-config' option to configure AWS anonymous access.
Signed-off-by: Vitalii Koshura lestat.de.lionkur@gmail.com