Question

Mendix should support all authentication offered by the AWS SDK for its S3 storage

0

One of our app developped with Mendix would like to store its data on a S3 bucket. Luckily Mendix supports this by providing Runtime Customization | Mendix Documentation . In a nutshell: You only have to provide an accesskey, secretKey, bucketName and Region and your mendix app will store its data on a S3 bucket instead of on the filesystem. However we now would like to use short-term credentials for security reasons. Surprisingly, Mendix does not seem to support this at all for its storage. Actually, the only possible authentication-related configuration is by passing an "com.mendix.storage.s3.AccessKeyId" and a "com.mendix.storage.s3.SecretAccessKey" as arguments. Why doesn't mendix support all credentials offered by the AWS SDK (ref: DefaultAWSCredentialsProviderChain (AWS SDK for Java - 1.12.638) (amazon.com)). It would make much more sense to me. Is there any plan to support this? Thank you in advance

asked 2024-01-17

Arnaud De Backer

4 answers

Naman Khard · Answer 1 · 2024-01-17

Hey Arnaud,

If your app is deployed in Mendix cloud, usually it classifies data on 2 categories - Structured and Unstructured data. Structured/SQL data can be stored in its own Postgres DB. For Unstructured, it will use S3 bucket only.

Now when you are using Mendix cloud, you will be having limited access to infrastructure hence you can deploy your app using private cloud and there you can configure your own security for storage

Regards,

Naman Khard

Arnaud De Backer · Answer 2 · 2024-01-17

I don't see how your answer is related to my question. Allow me to ask it differently then:

AWS allows multiple ways of authentication (see DefaultAWSCredentialsProviderChain (AWS SDK for Java - 1.12.638) (amazon.com))

Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (RECOMMENDED since they are recognized by all the AWS SDKs and CLI except for .NET), or AWS_ACCESS_KEY and AWS_SECRET_KEY (only recognized by Java SDK)
Java System Properties - aws.accessKeyId and aws.secretKey
Web Identity Token credentials from the environment or container
Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI
Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set and security manager has permission to access the variable,
Instance profile credentials delivered through the Amazon EC2 metadata service

However Mendix only supports one of them when configuring S3 as a storage (Runtime Customization | Mendix Documentation). Is there a plan to support other ways in the future?

Emiel Paasschens · Answer 3 · 2024-01-19

Hi Arnaud,

With the Amazon S3 Connector from the marketplace, together with the AWS Authentication Connector, you can use temporary/session credentials to store and read files from S3.

There is a blogpost "Securely Connect with the AWS Authentication Connector", that describes how to set this up.

Does this help you with your question/request?

Kind regards,

Emiel Paasschens

Arnaud De Backer · Answer 4 · 2024-01-19

Hi Emiel,

I'm afraid it does not answer my question. I think the AWS S3 connector works quite well and does well support short-lived tokens.

The issue is that it is not linked with the S3 Storage Runtime Customization | Mendix Documentation. It seems that Mendix has its own specific parameters regarding the configuration of an S3 bucket as its storage system instead of the filesystem and it is unfortunately completely separate from the AWS S3 connector module you are referring to.

Regards,

Arnaud