tier: Allow edit of the new Azure and AWS auth params (#18690)

Allow editing for the service principal credentials from Azure and the web identity token for AWS; Also, more validation of input parameters.
2025-11-07 04:42:56 -05:00 · 2023-12-21 16:58:10 -08:00
parent eba23bbac4
commit 22f8e39b58
7 changed files with 68 additions and 13 deletions
--- a/cmd/tier.go
+++ b/cmd/tier.go
@@ -311,22 +311,30 @@ func (config *TierConfigMgr) Edit(ctx context.Context, tierName string, creds ma
 	cfg := config.Tiers[tierName]
 	switch tierType {
 	case madmin.S3:
-		if (creds.AccessKey == "" || creds.SecretKey == "") && !creds.AWSRole {
-			return errTierMissingCredentials
-		}
-		switch {
-		case creds.AWSRole:
+		if creds.AWSRole {
 			cfg.S3.AWSRole = true
-		default:
+		}
+		if creds.AWSRoleWebIdentityTokenFile != "" && creds.AWSRoleARN != "" {
+			cfg.S3.AWSRoleARN = creds.AWSRoleARN
+			cfg.S3.AWSRoleWebIdentityTokenFile = creds.AWSRoleWebIdentityTokenFile
+		}
+		if creds.AccessKey != "" && creds.SecretKey != "" {
 			cfg.S3.AccessKey = creds.AccessKey
 			cfg.S3.SecretKey = creds.SecretKey
 		}
 	case madmin.Azure:
-		if creds.SecretKey == "" {
-			return errTierMissingCredentials
+		if creds.SecretKey != "" {
+			cfg.Azure.AccountKey = creds.SecretKey
+		}
+		if creds.AzSP.TenantID != "" {
+			cfg.Azure.SPAuth.TenantID = creds.AzSP.TenantID
+		}
+		if creds.AzSP.ClientID != "" {
+			cfg.Azure.SPAuth.ClientID = creds.AzSP.ClientID
+		}
+		if creds.AzSP.ClientSecret != "" {
+			cfg.Azure.SPAuth.ClientSecret = creds.AzSP.ClientSecret
 		}
-		cfg.Azure.AccountKey = creds.SecretKey
-
 	case madmin.GCS:
 		if creds.CredsJSON == nil {
 			return errTierMissingCredentials
--- a/cmd/warm-backend-azure.go
+++ b/cmd/warm-backend-azure.go
@@ -153,6 +153,19 @@ func newWarmBackendAzure(conf madmin.TierAzure, _ string) (*warmBackendAzure, er
 		err        error
 	)

+	switch {
+	case conf.AccountName == "":
+		return nil, errors.New("the account name is required")
+	case conf.AccountKey != "" && (conf.SPAuth.TenantID != "" || conf.SPAuth.ClientID != "" || conf.SPAuth.ClientSecret != ""):
+		return nil, errors.New("multiple authentication mechanisms are provided")
+	case conf.AccountKey == "" && (conf.SPAuth.TenantID == "" || conf.SPAuth.ClientID == "" || conf.SPAuth.ClientSecret == ""):
+		return nil, errors.New("no authentication mechanism was provided")
+	}
+
+	if conf.Bucket == "" {
+		return nil, errors.New("no bucket name was provided")
+	}
+
 	if conf.IsSPEnabled() {
 		credential, err = newCredentialFromSP(conf)
 	} else {
--- a/cmd/warm-backend-gcs.go
+++ b/cmd/warm-backend-gcs.go
@@ -19,6 +19,7 @@ package cmd

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"

@@ -102,6 +103,15 @@ func (gcs *warmBackendGCS) InUse(ctx context.Context) (bool, error) {
 }

 func newWarmBackendGCS(conf madmin.TierGCS, _ string) (*warmBackendGCS, error) {
+	// Validation code
+	if conf.Creds == "" {
+		return nil, errors.New("empty credentials unsupported")
+	}
+
+	if conf.Bucket == "" {
+		return nil, errors.New("no bucket name was provided")
+	}
+
 	credsJSON, err := conf.GetCredentialJSON()
 	if err != nil {
 		return nil, err
--- a/cmd/warm-backend-minio.go
+++ b/cmd/warm-backend-minio.go
@@ -18,6 +18,7 @@
 package cmd

 import (
+	"errors"
 	"fmt"
 	"net/url"
 	"strings"
@@ -35,6 +36,15 @@ type warmBackendMinIO struct {
 var _ WarmBackend = (*warmBackendMinIO)(nil)

 func newWarmBackendMinIO(conf madmin.TierMinIO, tier string) (*warmBackendMinIO, error) {
+	// Validation of credentials
+	if conf.AccessKey == "" || conf.SecretKey == "" {
+		return nil, errors.New("both access and secret keys are requied")
+	}
+
+	if conf.Bucket == "" {
+		return nil, errors.New("no bucket name was provided")
+	}
+
 	u, err := url.Parse(conf.Endpoint)
 	if err != nil {
 		return nil, err
--- a/cmd/warm-backend-s3.go
+++ b/cmd/warm-backend-s3.go
@@ -114,6 +114,20 @@ func newWarmBackendS3(conf madmin.TierS3, tier string) (*warmBackendS3, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	// Validation code
+	switch {
+	case conf.AWSRoleWebIdentityTokenFile == "" && conf.AWSRoleARN != "" || conf.AWSRoleWebIdentityTokenFile != "" && conf.AWSRoleARN == "":
+		return nil, errors.New("both the token file and the role ARN are required")
+	case conf.AccessKey == "" && conf.SecretKey != "" || conf.AccessKey != "" && conf.SecretKey == "":
+		return nil, errors.New("both the access and secret keys are required")
+	case conf.AWSRole && (conf.AWSRoleWebIdentityTokenFile != "" || conf.AWSRoleARN != "" || conf.AccessKey != "" || conf.SecretKey != ""):
+		return nil, errors.New("AWS Role cannot be activated with static credentials or the web identity token file")
+	case conf.Bucket == "":
+		return nil, errors.New("no bucket name was provided")
+	}
+
+	// Credentials initialization
 	var creds *credentials.Credentials
 	switch {
 	case conf.AWSRole: