The hibernate-search-elasticsearch-aws module signs requests to AWS Elasticsearch instances, but only if we directly declare the aws secret and access keys as properties at startup.
When running on an EC2 instance its recommended to use the role provided by the EC2 instance using their provided roles that use temporary credentials https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html . `AWSCredentialsProvider` from the aws java sdk abstracts that in a friendly way.
It would be great if we could provide an instance of `AWSCredentialsProvider` to hibernate search at startup so that it can use that for signing the elastic search requests.
Thanks for the heads-up. I believe there was a reason for us not to use the AWS Java SDK in the first place, so I will have to check that again. But worst case we may be able to provide an abstraction that allows you to plug in an AWSCredentialsProvider.
Planning this for 6.0... optimistically.
Any updates on it?
This feature is very important from AWS security & compliance point of view.
Nothing new here, no.
If you're interested and you need it urgently, you can have a look at converting the hibernate-search-backend-elasticsearch-aws module to use the official AWS SDK instead of the current (minimal) library. The code is here: https://github.com/hibernate/hibernate-search/tree/master/backend/elasticsearch-aws and the contribution guide is here: https://github.com/hibernate/hibernate-search/blob/master/CONTRIBUTING.md .
Then, you'll probably be able to add new ways to provide credentials. I believe the AWS SDK supports various solutions, including environment variables.