How to configure AWS S3 object store using an IAM role instead of an IAM user?

From version 4.7.0 of Artifactory it is possible to connect to S3 object storage using an IAM role instead of an IAM user (which obsoletes the need to rely on hard-coded credentials on the configuration file).

 

After the IAM Role is created to give access to your Artifactory, Artifactory needs to be configured to use the AWS S3 using the IAM Role. Here is the link to the instruction, and below is a sample configuration for AWS using an IAM role that can be added to $ARTIFACTORY_HOME/etc/binarystore.xml (or $CLUSTER_HOME/ha-etc/binarystore.xml for HA)

 

<chain>

 <provider id="cache-fs" type="cache-fs">

 <provider id="eventual" type="eventual">

 <provider id="retry" type="retry">

 <provider id="s3" type="s3"/>

 </provider>

 </provider>

 </provider>

</chain>

<provider id="s3" type="s3">

 <roleName>XXXXXX</roleName>

<endpoint>https://s3.amazonaws.com</endpoint>

 <bucketName><mybucketname></bucketName>

<refreshCredentials>true</refreshCredentials>

</provider>

</config> 

 

Please note the requirement (marked in bold) of the refreshCredentials flag. Without it, the token will get expired and communication with the bucket will be lost.