I have a private drone server on AWS in which I’d like to use IAM roles to authenticate with various cloud services, such as S3 (so I don’t have to manage individual keys).
However, two of the S3 plugins (drone-s3 and drone-s3-sync) will fail if no keys are provided. I haven’t checked all AWS plugins though so this issue may also be present elsewhere.
I was wondering if simply ignoring the check for aws keys would be an acceptable solution (like here and in here)? I see that some plugins used to check for a verified yaml file for security reasons, but it seems that
drone sign is not supported anymore.
I’m also wondering if this solution could present some risks, as in a public repo anyone could open a pull request and add a malicious step that abuses the instance IAM roles. My use is for private repositories, so for me that’s not a concern, but is there a general solution to avoid plugins giving too much permissions to “malicious pull requests”?
In any case I’d be happy to open multiple PRs addressing this, as I’m making use of several AWS plugins myself.