Make AWS credentials opt-in (#2358)

2025-09-04 20:14:57 +08:00 · 2023-11-16 13:57:28 +01:00 · 2023-11-16 13:57:28 +01:00 · 43f40db59d
commit 43f40db59d
parent f124b6c8c6
8 changed files with 53 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -189,6 +189,10 @@ The following environment variables can be used to configure Livebook on boot:
    building the Docker image; to do so add "RUN /app/bin/warmup_apps" to
    your image). Defaults to "auto".

+  * `LIVEBOOK_AWS_CREDENTIALS` - enable Livebook to read AWS Credentials from
+    environment variables, AWS Credentials, EC2/ECS metadata when configuring
+    S3 buckets.
+
  * `LIVEBOOK_BASE_URL_PATH` - sets the base url path the web application is
    served on. Useful when deploying behind a reverse proxy.

--- a/config/config.exs
+++ b/config/config.exs
@ -35,7 +35,8 @@ config :livebook,
  shutdown_callback: nil,
  update_instructions_url: nil,
  within_iframe: false,
-  allowed_uri_schemes: []
+  allowed_uri_schemes: [],
+  aws_credentials: false

 # TODO: Remove this in aws_credentials 0.2.0
 config :aws_credentials, fail_if_unavailable: false
--- a/lib/livebook.ex
+++ b/lib/livebook.ex
@ -145,6 +145,10 @@ defmodule Livebook do
      config :livebook, :within_iframe, true
    end

+    if Livebook.Config.boolean!("LIVEBOOK_AWS_CREDENTIALS", false) do
+      config :livebook, :aws_credentials, true
+    end
+
    config :livebook,
           :default_runtime,
           Livebook.Config.default_runtime!("LIVEBOOK_DEFAULT_RUNTIME") ||
--- a/lib/livebook/application.ex
+++ b/lib/livebook/application.ex
@ -2,6 +2,7 @@ defmodule Livebook.Application do
  use Application

  def start(_type, _args) do
+    setup_optional_dependencies()
    ensure_directories!()
    set_local_file_system!()
    ensure_distribution!()
@ -84,6 +85,12 @@ defmodule Livebook.Application do
    :ok
  end

+  defp setup_optional_dependencies() do
+    if Livebook.Config.aws_credentials?() do
+      Application.ensure_all_started(:aws_credentials)
+    end
+  end
+
  defp ensure_directories!() do
    File.mkdir_p!(Livebook.Config.home())
    File.mkdir_p!(Livebook.Config.data_path())
--- a/lib/livebook/config.ex
+++ b/lib/livebook/config.ex
@ -219,6 +219,14 @@ defmodule Livebook.Config do
    Application.fetch_env!(:livebook, :teams_url)
  end

+  @doc """
+  Returns if aws_credentials is enabled.
+  """
+  @spec aws_credentials?() :: boolean()
+  def aws_credentials?() do
+    Application.fetch_env!(:livebook, :aws_credentials)
+  end
+
  @doc """
  Shuts down the system, if possible.
  """
--- a/lib/livebook/file_system/s3.ex
+++ b/lib/livebook/file_system/s3.ex
@ -86,7 +86,7 @@ defmodule Livebook.FileSystem.S3 do
  end

  defp try_environment_credentials(changeset) do
-    case :aws_credentials.get_credentials() do
+    case get_credentials() do
      :undefined ->
        add_error(
          changeset,
@ -134,7 +134,7 @@ defmodule Livebook.FileSystem.S3 do
  def credentials(%__MODULE__{} = file_system) do
    case {file_system.access_key_id, file_system.secret_access_key} do
      {nil, nil} ->
-        case :aws_credentials.get_credentials() do
+        case get_credentials() do
          :undefined ->
            %{access_key_id: nil, secret_access_key: nil, session_token: nil}

@ -154,6 +154,14 @@ defmodule Livebook.FileSystem.S3 do
        }
    end
  end
+
+  defp get_credentials do
+    if Livebook.Config.aws_credentials?() do
+      :aws_credentials.get_credentials()
+    else
+      :undefined
+    end
+  end
 end

 defimpl Livebook.FileSystem, for: Livebook.FileSystem.S3 do
--- a/lib/livebook_web/live/hub/file_system_form_component.ex
+++ b/lib/livebook_web/live/hub/file_system_form_component.ex
@ -59,13 +59,23 @@ defmodule LivebookWeb.Hub.FileSystemFormComponent do
            placeholder="https://s3.[region].amazonaws.com/[bucket]"
          />
          <.text_field field={f[:region]} label="Region (optional)" />
-          <.password_field field={f[:access_key_id]} label="Access Key ID (optional)" />
-          <.password_field field={f[:secret_access_key]} label="Secret Access Key (optional)" />
-          <p class="text-xs text-gray-700">
-            You may leave Access Key fields empty. In such cases,
-            they will be automatically read from your environment variables,
-            AWS credentials, or Amazon EC2/ECS metadata.
-          </p>
+          <%= if Livebook.Config.aws_credentials?() do %>
+            <.password_field field={f[:access_key_id]} label="Access Key ID (optional)" />
+            <.password_field field={f[:secret_access_key]} label="Secret Access Key (optional)" />
+            <p class="text-xs text-gray-700">
+              You may leave Access Key fields empty. In such cases,
+              they will be automatically read from your environment variables,
+              AWS credentials, or Amazon EC2/ECS metadata.
+            </p>
+          <% else %>
+            <.password_field field={f[:access_key_id]} label="Access Key ID" />
+            <.password_field field={f[:secret_access_key]} label="Secret Access Key" />
+            <p class="text-xs text-gray-700">
+              Start Livebook with <code>LIVEBOOK_AWS_CREDENTIALS</code> environment
+              variable set if you want to automatically read credentials from
+              environment variables, AWS credentials, or Amazon EC2/ECS metadata.
+            </p>
+          <% end %>
          <div class="flex space-x-2">
            <button class="button-base button-blue" type="submit" disabled={not @changeset.valid?}>
              <.remix_icon icon={@button.icon} class="align-middle mr-1" />
--- a/mix.exs
+++ b/mix.exs
@ -111,7 +111,7 @@ defmodule Livebook.MixProject do
      {:earmark_parser, "~> 1.4"},
      {:ecto, "~> 3.10"},
      {:phoenix_ecto, "~> 4.4"},
-      {:aws_credentials, "~> 0.1.11"},
+      {:aws_credentials, "~> 0.1.11", runtime: false},
      {:aws_signature, "~> 0.3.0"},
      {:mint_web_socket, "~> 1.0.0"},
      {:protobuf, "~> 0.8.0"},