JarCastingAWS Maven Wagon
This project is a fork from https://github.com/spring-projects/aws-maven to support development and operations at Very Good Security ( VGS ). No guarantees are made for support or updating the component, but as long as we are using it actively we will update it as we need it.
Building and deploying this wagon
mvn install
mvn deploy
Usage
To publish Maven artifacts to S3 a build extension must be defined in a project's pom.xml. The latest version of the wagon can be found on Maven Central public repository https://search.maven.org/
To get the dependency add to your pom:
<project>
...
<build>
...
<extensions>
...
<extension>
<groupId>io.vgs.tools</groupId>
<artifactId>aws-maven</artifactId>
<version>1.4.5</version>
</extension>
...
</extensions>
...
</build>
...
</project>
This allows then using dependencies from s3 repositories as well as publish to s3 repositories.
Once the build extension is configured distribution management repositories can be defined in the pom.xml with an s3:// scheme.
<project>
...
<distributionManagement>
<repository>
<id>aws-release</id>
<name>AWS Release Repository</name>
<url>s3://<BUCKET>/release</url>
</repository>
<snapshotRepository>
<id>aws-snapshot</id>
<name>AWS Snapshot Repository</name>
<url>s3://<BUCKET>/snapshot</url>
</snapshotRepository>
</distributionManagement>
...
</project>
Finally the ~/.m2/settings.xml should be updated to include access and secret keys for the account. The access key should be used to populate the username element, and the secret access key should be used to populate the password element.
<settings>
...
<servers>
...
<server>
<id>aws-release</id>
<username>0123456789ABCDEFGHIJ</username>
<password>0123456789abcdefghijklmnopqrstuvwxyzABCD</password>
</server>
<server>
<id>aws-snapshot</id>
<username>0123456789ABCDEFGHIJ</username>
<password>0123456789abcdefghijklmnopqrstuvwxyzABCD</password>
</server>
...
</servers>
...
</settings>
Alternatively, the access and secret keys for the account can be provided using
AWS_ACCESS_KEY_ID(orAWS_ACCESS_KEY) andAWS_SECRET_KEY(orAWS_SECRET_ACCESS_KEY) environment variablesaws.accessKeyIdandaws.secretKeysystem properties- The Amazon EC2 Instance Metadata Service
- AWS-Profile ( Can be overridden with
AWS_PROFILEvariable )
For IAM Impersonation make sure your ~/.aws/credentials looks like this
[root]
aws_access_key_id = AKIAxxxx
aws_secret_access_key = asdfcvbn1234
[impersonated-profile]
role_arn = arn:aws:iam::1234567890:role/CrossAccountSignIn
source_profile = root
You can now install via AWS_PROFILE=impersonated-profile AWS_REGION=us-west-2 mvn clean install
Config precedence
- Use environment variables if they exist
- If environment variables don't exist, try to use config file
Making Artifacts Public
This wagon doesn't set an explict ACL for each artfact that is uploaded. Instead you should create an AWS Bucket Policy to set permissions on objects. A bucket policy can be set in the AWS Console and can be generated using the AWS Policy Generator.
In order to make the contents of a bucket public you need to add statements with the following details to your policy:
| Effect | Principal | Action | Amazon Resource Name (ARN) |
|---|---|---|---|
Allow |
* |
ListBucket |
arn:aws:s3:::<BUCKET> |
Allow |
* |
GetObject |
arn:aws:s3:::<BUCKET>/* |
If your policy is setup properly it should look something like:
{
"Id": "Policy1397027253868",
"Statement": [
{
"Sid": "Stmt1397027243665",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<BUCKET>",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt1397027177153",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<BUCKET>/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
If you prefer to use the command line, you can use the following script to make the contents of a bucket public:
BUCKET=<BUCKET>
TIMESTAMP=$(date +%Y%m%d%H%M)
POLICY=$(cat<<EOF
{
"Id": "public-read-policy-$TIMESTAMP",
"Statement": [
{
"Sid": "list-bucket-$TIMESTAMP",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::$BUCKET",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "get-object-$TIMESTAMP",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::$BUCKET/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
EOF
)
aws s3api put-bucket-policy --bucket $BUCKET --policy "$POLICY"
