From 87716171995ccbdb98c9cfa5b529686b2ca90d98 Mon Sep 17 00:00:00 2001 From: Anis Eleuch Date: Thu, 14 Dec 2023 14:01:49 -0800 Subject: [PATCH] tier: Add support of AWS S3 tiering with web identity token file (#18648) --- cmd/warm-backend-s3.go | 29 +++++++++++++++++++++++++++-- go.mod | 6 +++--- go.sum | 6 ++++++ 3 files changed, 36 insertions(+), 5 deletions(-) diff --git a/cmd/warm-backend-s3.go b/cmd/warm-backend-s3.go index 4a53f402a..df251db45 100644 --- a/cmd/warm-backend-s3.go +++ b/cmd/warm-backend-s3.go @@ -19,6 +19,7 @@ package cmd import ( "context" + "errors" "fmt" "io" "net/http" @@ -114,14 +115,38 @@ func newWarmBackendS3(conf madmin.TierS3, tier string) (*warmBackendS3, error) { return nil, err } var creds *credentials.Credentials - if conf.AWSRole { + switch { + case conf.AWSRole: creds = credentials.New(&credentials.IAM{ Client: &http.Client{ Transport: NewHTTPTransport(), }, }) - } else { + case conf.AWSRoleWebIdentityTokenFile != "" && conf.AWSRoleARN != "": + sessionName := conf.AWSRoleSessionName + if sessionName == "" { + // RoleSessionName has a limited set of characters (https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) + sessionName = "minio-tier-" + mustGetUUID() + } + s3WebIdentityIAM := credentials.IAM{ + Client: &http.Client{ + Transport: NewHTTPTransport(), + }, + EKSIdentity: struct { + TokenFile string + RoleARN string + RoleSessionName string + }{ + conf.AWSRoleWebIdentityTokenFile, + conf.AWSRoleARN, + sessionName, + }, + } + creds = credentials.New(&s3WebIdentityIAM) + case conf.AccessKey != "" && conf.SecretKey != "": creds = credentials.NewStaticV4(conf.AccessKey, conf.SecretKey, "") + default: + return nil, errors.New("insufficient parameters for S3 backend authentication") } getRemoteTierTargetInstanceTransportOnce.Do(func() { getRemoteTierTargetInstanceTransport = NewHTTPTransportWithTimeout(10 * time.Minute) diff --git a/go.mod b/go.mod index df426213d..85effd795 100644 --- a/go.mod +++ b/go.mod @@ -31,11 +31,11 @@ require ( github.com/gobwas/ws v1.3.1 github.com/golang-jwt/jwt/v4 v4.5.0 github.com/gomodule/redigo v1.8.9 - github.com/google/uuid v1.4.0 + github.com/google/uuid v1.5.0 github.com/hashicorp/golang-lru v1.0.2 github.com/inconshreveable/mousetrap v1.1.0 github.com/json-iterator/go v1.1.12 - github.com/klauspost/compress v1.17.3 + github.com/klauspost/compress v1.17.4 github.com/klauspost/cpuid/v2 v2.2.6 github.com/klauspost/filepathx v1.1.1 github.com/klauspost/pgzip v1.2.6 @@ -52,7 +52,7 @@ require ( github.com/minio/highwayhash v1.0.2 github.com/minio/kes-go v0.2.0 github.com/minio/madmin-go/v3 v3.0.37-0.20231211192618-d20cff0b11d9 - github.com/minio/minio-go/v7 v7.0.65-0.20231122233251-1f7dd6b7e3e1 + github.com/minio/minio-go/v7 v7.0.66-0.20231212234720-a5c27bde3e1d github.com/minio/mux v1.9.0 github.com/minio/pkg/v2 v2.0.5-0.20231205011044-ec6b8d58893a github.com/minio/selfupdate v0.6.0 diff --git a/go.sum b/go.sum index 2330b7044..b1beeade7 100644 --- a/go.sum +++ b/go.sum @@ -276,6 +276,8 @@ github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU= +github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= @@ -351,6 +353,8 @@ github.com/klauspost/compress v1.14.4/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47e github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= github.com/klauspost/compress v1.17.3 h1:qkRjuerhUU1EmXLYGkSH6EZL+vPSxIrYjLNAK4slzwA= github.com/klauspost/compress v1.17.3/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= +github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4= +github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/klauspost/cpuid/v2 v2.2.6 h1:ndNyv040zDGIDh8thGkXYjnFtiN02M1PVVF+JE/48xc= github.com/klauspost/cpuid/v2 v2.2.6/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= @@ -459,6 +463,8 @@ github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEp github.com/minio/minio-go/v6 v6.0.46/go.mod h1:qD0lajrGW49lKZLtXKtCB4X/qkMf0a5tBvN2PaZg7Gg= github.com/minio/minio-go/v7 v7.0.65-0.20231122233251-1f7dd6b7e3e1 h1:oGua0HckYk7JuIW/c1IuInHe9MCef1U6Q2Qf9ea/V5U= github.com/minio/minio-go/v7 v7.0.65-0.20231122233251-1f7dd6b7e3e1/go.mod h1:R4WVUR6ZTedlCcGwZRauLMIKjgyaWxhs4Mqi/OMPmEc= +github.com/minio/minio-go/v7 v7.0.66-0.20231212234720-a5c27bde3e1d h1:JTQegGqGuWNEkZrGzGDYt37mReF0VJ76q8duJOAwb7A= +github.com/minio/minio-go/v7 v7.0.66-0.20231212234720-a5c27bde3e1d/go.mod h1:DHAgmyQEGdW3Cif0UooKOyrT3Vxs82zNdV6tkKhRtbs= github.com/minio/mux v1.9.0 h1:dWafQFyEfGhJvK6AwLOt83bIG5bxKxKJnKMCi0XAaoA= github.com/minio/mux v1.9.0/go.mod h1:1pAare17ZRL5GpmNL+9YmqHoWnLmMZF9C/ioUCfy0BQ= github.com/minio/pkg v1.7.5 h1:UOUJjewE5zoaDPlCMJtNx/swc1jT1ZR+IajT7hrLd44=