Use IAM creds only if endpoint is S3 (#7111)

Requirements like being able to run minio gateway in ec2
pointing to a Minio deployment wouldn't work properly
because IAM creds take precendence on ec2.

Add checks such that we only enable AWS specific features
if our backend URL points to actual AWS S3 not S3 compatible
endpoints.
master
Harshavardhana 6 years ago committed by kannappanr
parent ee7dcc2903
commit bd25f31100
  1. 62
      cmd/gateway/s3/gateway-s3.go
  2. 2
      docs/gateway/s3.md

@ -22,6 +22,7 @@ import (
"io" "io"
"math/rand" "math/rand"
"net/http" "net/http"
"net/url"
"strings" "strings"
"time" "time"
@ -168,35 +169,54 @@ func randString(n int, src rand.Source, prefix string) string {
return prefix + string(b[0:30-len(prefix)]) return prefix + string(b[0:30-len(prefix)])
} }
func isAmazonS3Endpoint(urlStr string) bool {
u, err := url.Parse(urlStr)
if err != nil {
panic(err)
}
return s3utils.IsAmazonEndpoint(*u)
}
// - Static credentials provided by user (i.e. MINIO_ACCESS_KEY)
var defaultMinioProviders = []credentials.Provider{
&credentials.EnvMinio{},
}
// Chains all credential types, in the following order:
// - AWS env vars (i.e. AWS_ACCESS_KEY_ID)
// - AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials)
// - IAM profile based credentials. (performs an HTTP
// call to a pre-defined endpoint, only valid inside
// configured ec2 instances)
var defaultAWSCredProviders = []credentials.Provider{
&credentials.EnvAWS{},
&credentials.FileAWSCredentials{},
&credentials.IAM{
Client: &http.Client{
Transport: minio.NewCustomHTTPTransport(),
},
},
}
// newS3 - Initializes a new client by auto probing S3 server signature. // newS3 - Initializes a new client by auto probing S3 server signature.
func newS3(url string) (*miniogo.Core, error) { func newS3(urlStr string) (*miniogo.Core, error) {
if url == "" { if urlStr == "" {
url = "https://s3.amazonaws.com" urlStr = "https://s3.amazonaws.com"
} }
// Override default params if the host is provided // Override default params if the host is provided
endpoint, secure, err := minio.ParseGatewayEndpoint(url) endpoint, secure, err := minio.ParseGatewayEndpoint(urlStr)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Chains all credential types, in the following order: var creds *credentials.Credentials
// - AWS env vars (i.e. AWS_ACCESS_KEY_ID) if isAmazonS3Endpoint(urlStr) {
// - AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials) // If we see an Amazon S3 endpoint, then we use more ways to fetch backend credentials.
// - IAM profile based credentials. (performs an HTTP creds = credentials.NewChainCredentials(append(defaultAWSCredProviders, defaultMinioProviders...))
// call to a pre-defined endpoint, only valid inside } else {
// configured ec2 instances) creds = credentials.NewChainCredentials(defaultMinioProviders)
// - Static credentials provided by user (i.e. MINIO_ACCESS_KEY) }
creds := credentials.NewChainCredentials([]credentials.Provider{
&credentials.EnvAWS{},
&credentials.FileAWSCredentials{},
&credentials.IAM{
Client: &http.Client{
Transport: minio.NewCustomHTTPTransport(),
},
},
&credentials.EnvMinio{},
})
clnt, err := miniogo.NewWithCredentials(endpoint, creds, secure, "") clnt, err := miniogo.NewWithCredentials(endpoint, creds, secure, "")
if err != nil { if err != nil {

@ -28,7 +28,7 @@ export MINIO_SECRET_KEY=custom_secret_key
minio gateway s3 minio gateway s3
``` ```
Minio gateway will automatically look for list of credential styles in following order. Minio gateway will automatically look for list of credential styles in following order, if your backend URL is AWS S3.
- AWS env vars (i.e. AWS_ACCESS_KEY_ID) - AWS env vars (i.e. AWS_ACCESS_KEY_ID)
- AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials) - AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials)

Loading…
Cancel
Save