-
Notifications
You must be signed in to change notification settings - Fork 494
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change key/secret to optional in apoc.nlp calls for AWS #1596
Labels
Comments
vga91
added a commit
that referenced
this issue
May 2, 2024
RobertoSannino
pushed a commit
that referenced
this issue
May 15, 2024
vga91
added a commit
that referenced
this issue
Jun 26, 2024
vga91
added a commit
that referenced
this issue
Jul 3, 2024
vga91
added a commit
that referenced
this issue
Sep 10, 2024
vga91
added a commit
that referenced
this issue
Sep 10, 2024
vga91
added a commit
that referenced
this issue
Sep 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently
verifyKey
is called for key & secret when using apoc.nlp.aws procedures.This poses several issues, especially under an orchestrated environment ( we use k8s )
We don't want to rely on key/secret use ( we prefer using roles when calling the AWS APIs. specifically via IRSA )
As we have to explicitly use credentials, we rotate them. in our setup Vault is in charge of rotating keys and the key / secret pair is passed to the apoc static value storage via environment variables.
This has the downside of the need to allocate a new pod, which means we can encounter call failures until the original pod is replaced.
Note: We considered mounting a secret volume, but that also has the same downside as currently kubernetes secret updates don't work for subPath mounts ( which is required if we mount into the conf/ dir without overriding neo4j.conf, as it's populated in the official docker image entrypoint )
This could potentially be circumvented if we can change the
apoc.conf
location via another variable ( I would love to hear whether this is possible )Expected Behavior (Mandatory)
When called without key and secret, AWS calls should fall back to normal credential chain ( env var, instance profile, role etc. )
Actual Behavior (Mandatory)
Specifications (Mandatory)
Versions
The text was updated successfully, but these errors were encountered: