Support AWS envs creds for non-aws endpoints in S3 gateway (#7156)

We made a change previously in #7111 which moved support
for AWS envs only for AWS S3 endpoint. Some users requested
that this be added back to Non-AWS endpoints as well as
they require separate credentials for backend authentication
from security point of view.
master
Harshavardhana 6 years ago committed by Nitish Tiwari
parent fad59da29d
commit 64b5701971
  1. 15
      cmd/gateway/s3/gateway-s3.go

@ -1,5 +1,5 @@
/* /*
* Minio Cloud Storage, (C) 2017, 2018 Minio, Inc. * Minio Cloud Storage, (C) 2017, 2018, 2019 Minio, Inc.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -177,8 +177,13 @@ func isAmazonS3Endpoint(urlStr string) bool {
return s3utils.IsAmazonEndpoint(*u) return s3utils.IsAmazonEndpoint(*u)
} }
// Chains all credential types, in the following order:
// - AWS env vars (i.e. AWS_ACCESS_KEY_ID)
// - AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials)
// - Static credentials provided by user (i.e. MINIO_ACCESS_KEY) // - Static credentials provided by user (i.e. MINIO_ACCESS_KEY)
var defaultMinioProviders = []credentials.Provider{ var defaultProviders = []credentials.Provider{
&credentials.EnvAWS{},
&credentials.FileAWSCredentials{},
&credentials.EnvMinio{}, &credentials.EnvMinio{},
} }
@ -196,6 +201,7 @@ var defaultAWSCredProviders = []credentials.Provider{
Transport: minio.NewCustomHTTPTransport(), Transport: minio.NewCustomHTTPTransport(),
}, },
}, },
&credentials.EnvMinio{},
} }
// newS3 - Initializes a new client by auto probing S3 server signature. // newS3 - Initializes a new client by auto probing S3 server signature.
@ -213,9 +219,10 @@ func newS3(urlStr string) (*miniogo.Core, error) {
var creds *credentials.Credentials var creds *credentials.Credentials
if isAmazonS3Endpoint(urlStr) { if isAmazonS3Endpoint(urlStr) {
// If we see an Amazon S3 endpoint, then we use more ways to fetch backend credentials. // If we see an Amazon S3 endpoint, then we use more ways to fetch backend credentials.
creds = credentials.NewChainCredentials(append(defaultAWSCredProviders, defaultMinioProviders...)) // Specifically IAM style rotating credentials are only supported with AWS S3 endpoint.
creds = credentials.NewChainCredentials(defaultAWSCredProviders)
} else { } else {
creds = credentials.NewChainCredentials(defaultMinioProviders) creds = credentials.NewChainCredentials(defaultProviders)
} }
clnt, err := miniogo.NewWithCredentials(endpoint, creds, secure, "") clnt, err := miniogo.NewWithCredentials(endpoint, creds, secure, "")

Loading…
Cancel
Save