[
https://issues.apache.org/jira/browse/FINERACT-2118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18038706#comment-18038706
]
Juhan Aasaru commented on FINERACT-2118:
----------------------------------------
PR seems to be merged. Can this issue be closed?
> S3 Content Repository credentials security
> ------------------------------------------
>
> Key: FINERACT-2118
> URL: https://issues.apache.org/jira/browse/FINERACT-2118
> Project: Apache Fineract
> Issue Type: Bug
> Affects Versions: 1.9.0
> Reporter: Arnold Galovics
> Priority: Critical
>
> When the Content Repository in Fineract - which stores the pictures of
> clients, workbook imports, etc - is used in conjunction with AWS S3
> integration, it actually suffers from 2 huge problems:
> # The AWS access and secret keys should be passed as environment variables
> explicitly to the applications. This results in a huge security problem of
> exposing the AWS credentials directly.
> # The S3 integration for the Content Repository is NOT using the default AWS
> credential chain, therefore you cannot use EC2 Instance Profiles, you cannot
> use Service Accounts on K8S to grant access to the S3 bucket which stores the
> contents. The only way to configure it is through the access key and secret
> key environment variables.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
