mirror of
https://github.com/minio/minio.git
synced 2024-12-25 06:35:56 -05:00
Use IAM creds only if endpoint is S3 (#7111)
Requirements like being able to run minio gateway in ec2 pointing to a Minio deployment wouldn't work properly because IAM creds take precendence on ec2. Add checks such that we only enable AWS specific features if our backend URL points to actual AWS S3 not S3 compatible endpoints.
This commit is contained in:
parent
ee7dcc2903
commit
bd25f31100
@ -22,6 +22,7 @@ import (
|
|||||||
"io"
|
"io"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
@ -168,35 +169,54 @@ func randString(n int, src rand.Source, prefix string) string {
|
|||||||
return prefix + string(b[0:30-len(prefix)])
|
return prefix + string(b[0:30-len(prefix)])
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func isAmazonS3Endpoint(urlStr string) bool {
|
||||||
|
u, err := url.Parse(urlStr)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
return s3utils.IsAmazonEndpoint(*u)
|
||||||
|
}
|
||||||
|
|
||||||
|
// - Static credentials provided by user (i.e. MINIO_ACCESS_KEY)
|
||||||
|
var defaultMinioProviders = []credentials.Provider{
|
||||||
|
&credentials.EnvMinio{},
|
||||||
|
}
|
||||||
|
|
||||||
|
// Chains all credential types, in the following order:
|
||||||
|
// - AWS env vars (i.e. AWS_ACCESS_KEY_ID)
|
||||||
|
// - AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials)
|
||||||
|
// - IAM profile based credentials. (performs an HTTP
|
||||||
|
// call to a pre-defined endpoint, only valid inside
|
||||||
|
// configured ec2 instances)
|
||||||
|
var defaultAWSCredProviders = []credentials.Provider{
|
||||||
|
&credentials.EnvAWS{},
|
||||||
|
&credentials.FileAWSCredentials{},
|
||||||
|
&credentials.IAM{
|
||||||
|
Client: &http.Client{
|
||||||
|
Transport: minio.NewCustomHTTPTransport(),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
// newS3 - Initializes a new client by auto probing S3 server signature.
|
// newS3 - Initializes a new client by auto probing S3 server signature.
|
||||||
func newS3(url string) (*miniogo.Core, error) {
|
func newS3(urlStr string) (*miniogo.Core, error) {
|
||||||
if url == "" {
|
if urlStr == "" {
|
||||||
url = "https://s3.amazonaws.com"
|
urlStr = "https://s3.amazonaws.com"
|
||||||
}
|
}
|
||||||
|
|
||||||
// Override default params if the host is provided
|
// Override default params if the host is provided
|
||||||
endpoint, secure, err := minio.ParseGatewayEndpoint(url)
|
endpoint, secure, err := minio.ParseGatewayEndpoint(urlStr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Chains all credential types, in the following order:
|
var creds *credentials.Credentials
|
||||||
// - AWS env vars (i.e. AWS_ACCESS_KEY_ID)
|
if isAmazonS3Endpoint(urlStr) {
|
||||||
// - AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials)
|
// If we see an Amazon S3 endpoint, then we use more ways to fetch backend credentials.
|
||||||
// - IAM profile based credentials. (performs an HTTP
|
creds = credentials.NewChainCredentials(append(defaultAWSCredProviders, defaultMinioProviders...))
|
||||||
// call to a pre-defined endpoint, only valid inside
|
} else {
|
||||||
// configured ec2 instances)
|
creds = credentials.NewChainCredentials(defaultMinioProviders)
|
||||||
// - Static credentials provided by user (i.e. MINIO_ACCESS_KEY)
|
}
|
||||||
creds := credentials.NewChainCredentials([]credentials.Provider{
|
|
||||||
&credentials.EnvAWS{},
|
|
||||||
&credentials.FileAWSCredentials{},
|
|
||||||
&credentials.IAM{
|
|
||||||
Client: &http.Client{
|
|
||||||
Transport: minio.NewCustomHTTPTransport(),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
&credentials.EnvMinio{},
|
|
||||||
})
|
|
||||||
|
|
||||||
clnt, err := miniogo.NewWithCredentials(endpoint, creds, secure, "")
|
clnt, err := miniogo.NewWithCredentials(endpoint, creds, secure, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -28,7 +28,7 @@ export MINIO_SECRET_KEY=custom_secret_key
|
|||||||
minio gateway s3
|
minio gateway s3
|
||||||
```
|
```
|
||||||
|
|
||||||
Minio gateway will automatically look for list of credential styles in following order.
|
Minio gateway will automatically look for list of credential styles in following order, if your backend URL is AWS S3.
|
||||||
|
|
||||||
- AWS env vars (i.e. AWS_ACCESS_KEY_ID)
|
- AWS env vars (i.e. AWS_ACCESS_KEY_ID)
|
||||||
- AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials)
|
- AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials)
|
||||||
|
Loading…
Reference in New Issue
Block a user