Dynamic discovery credentials should use default AWS SDK chain

I am trying to use Boundary to discover hosts in our AWS organization. We rely exclusively on the use of roles and short lived tokens and have service control policies configured that prevent the creation of IAM credentials as its considered an anti-pattern.

I was disappointed to see that the dynamic discovery plugin for AWS requires a hard-coded Access Key ID and Access Key Secret.

I found this issue raised on the repository Plugin should use AWS SDK Credential Resolution Order · Issue #12 · hashicorp/boundary-plugin-host-aws · GitHub but it doesn’t seem to have gained much traction. In theory this fix should be very easy as by simply removing them the AWS SDK will use its default credential chain.

Is there any other work around that would enable the use of this plugin without hard coding these credentials?

See my response in that issue (or more precisely, the responses on the issue linked from that one). Using an access key ID/secret is by far the most secure option in almost all cases (keep in mind that Boundary immediately rotates these so that only Boundary then knows what they are) because otherwise all users of all host catalogs in Boundary have access to all of the same hosts, and scoping is not possible.

However, for smaller deployments, or where this is an acceptable tradeoff, it would be nice to support IAM profile creds.

Support for other methods could be added, but there’s a lack of resourcing to do it at the moment.

cc @PPacent