Best practice for securing instances access to private storage buckets
There are at least two different ways that something (such as cloud-init) running on an instance can download something from a private bucket. Pros' and cons' of each are...? Best practices?
Opt 1. Create an account for the thing and use curl (or wget) to POST to the bucket API with a key, control what the account can access using regular policies.
- doesn't work with MFA
- key rotation should be performed
- difficult to integrate with federation
Opt2. Create a pre-approved access URL for the bucket and GET from that URL.
- crazy long URLs that need updating when pre-approval expires
- expires date (auditors seem to love them)