Use AWS::CredentialProviderChain for Elasticsearch integration
Problem to solve
We currently resolve AWS credentials either using static credentials or EC2 IAM role via Aws::InstanceProfileCredentials. Ref: https://gitlab.com/gitlab-org/gitlab/blob/v12.6.2-ee/ee/lib/gitlab/elastic/client.rb
This prevents other credentials, such as IAM Roles for Tasks, from being used. This was reported (Zendesk, internal use only) by a 400-seat premium customer.
If we instead use Aws::CredentialProviderChain to resolve AWS credentials, we could support the full range of authentication options provided by AWS. See: https://github.com/aws/aws-sdk-ruby/blob/v2.11.374/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb
Intended users
Further details
Proposal
Permissions and Security
Documentation
Testing
Unit tests should include testing values that are Valid, Invalid, Nil, Empty. A real EC2/ECS environment should be spun up for acceptance testing using an exploratory charter-based test sessions and attached to this issue when completed. The main risk we want to mitigate here is the leaking of data and continued functionality of elasticsearch given the new credential verifications. I don't see the value of cross browser testing.