Log in to FlakeHub with AWS STS
Use AWS’ Identity and Access Management to log in to a FlakeHub organization and access private flakes and artifacts without managing tokens.
Security considerations
Authenticating to FlakeHub with AWS Security Token Service (STS) currently grants read-only privileges to all sources and artifacts in the associated FlakeHub organization.
FlakeHub only needs the Amazon Resource Name (ARN) of the identity, since authentication uses the GetCallerIdentity operation.
Setup
- First, create an IAM role in your AWS account. This role does not need any permissions.
- Attach the role to your EC2 instance.
- Register the assumed role ARN, which looks like
arn:aws:iam::${AccountId}:assumed-role/${RoleName}/i-*for EC2 instances, under the ARNs section of your FlakeHub Organization’s settings. - Install or restart Determinate to your instance.
After logging in with determinate-nixd login aws, Determinate is now authenticated with FlakeHub using the bound ARN.