Builders run arbitrary commands provided by the user, while we run the commands in a sandboxed environment (docker), that shouln't be the only line of defense, as we still interact with the files generated by the user outside docker for some operations.
This is why instead of using credentials that have access to all the resources in AWS, we are using credentials that are generated by the AWS STS service, which are temporary and scoped to the resources that are needed for the build.
In order to make use of STS, you need:
- Create a role in IAM with a trusted entity type set to the AWS account that is going to be used to generate the temporary credentials.
- Create an inline policy for the role, the policy should allow access to all S3 buckets and paths that are going to be used.
You can use :ref:`environment variables <settings:AWS configuration>` to set the credentials for AWS, make sure to set the value of RTD_S3_PROVIDER to AWS.
Note
If you are part of the development team, you should be able to use the credentials from the storage-dev` user,
which is already configured to make use of STS, and the ARN from the RTDSTSAssumeRoleDev role.
Note
You should use AWS only when you are testing the AWS integration, use the default minio provider for local development. Otherwise, files may be overridden if multiple developers are using the same credentials.