Use IAM creds only if endpoint is S3 (#7111)

Requirements like being able to run minio gateway in ec2
pointing to a Minio deployment wouldn't work properly
because IAM creds take precendence on ec2.

Add checks such that we only enable AWS specific features
if our backend URL points to actual AWS S3 not S3 compatible
endpoints.
This commit is contained in:
Harshavardhana 2019-01-24 00:42:33 +05:30 committed by kannappanr
parent ee7dcc2903
commit bd25f31100
2 changed files with 42 additions and 22 deletions

View File

@ -22,6 +22,7 @@ import (
"io"
"math/rand"
"net/http"
"net/url"
"strings"
"time"
@ -168,16 +169,17 @@ func randString(n int, src rand.Source, prefix string) string {
return prefix + string(b[0:30-len(prefix)])
}
// newS3 - Initializes a new client by auto probing S3 server signature.
func newS3(url string) (*miniogo.Core, error) {
if url == "" {
url = "https://s3.amazonaws.com"
func isAmazonS3Endpoint(urlStr string) bool {
u, err := url.Parse(urlStr)
if err != nil {
panic(err)
}
return s3utils.IsAmazonEndpoint(*u)
}
// Override default params if the host is provided
endpoint, secure, err := minio.ParseGatewayEndpoint(url)
if err != nil {
return nil, err
// - Static credentials provided by user (i.e. MINIO_ACCESS_KEY)
var defaultMinioProviders = []credentials.Provider{
&credentials.EnvMinio{},
}
// Chains all credential types, in the following order:
@ -186,8 +188,7 @@ func newS3(url string) (*miniogo.Core, error) {
// - IAM profile based credentials. (performs an HTTP
// call to a pre-defined endpoint, only valid inside
// configured ec2 instances)
// - Static credentials provided by user (i.e. MINIO_ACCESS_KEY)
creds := credentials.NewChainCredentials([]credentials.Provider{
var defaultAWSCredProviders = []credentials.Provider{
&credentials.EnvAWS{},
&credentials.FileAWSCredentials{},
&credentials.IAM{
@ -195,8 +196,27 @@ func newS3(url string) (*miniogo.Core, error) {
Transport: minio.NewCustomHTTPTransport(),
},
},
&credentials.EnvMinio{},
})
}
// newS3 - Initializes a new client by auto probing S3 server signature.
func newS3(urlStr string) (*miniogo.Core, error) {
if urlStr == "" {
urlStr = "https://s3.amazonaws.com"
}
// Override default params if the host is provided
endpoint, secure, err := minio.ParseGatewayEndpoint(urlStr)
if err != nil {
return nil, err
}
var creds *credentials.Credentials
if isAmazonS3Endpoint(urlStr) {
// If we see an Amazon S3 endpoint, then we use more ways to fetch backend credentials.
creds = credentials.NewChainCredentials(append(defaultAWSCredProviders, defaultMinioProviders...))
} else {
creds = credentials.NewChainCredentials(defaultMinioProviders)
}
clnt, err := miniogo.NewWithCredentials(endpoint, creds, secure, "")
if err != nil {

View File

@ -28,7 +28,7 @@ export MINIO_SECRET_KEY=custom_secret_key
minio gateway s3
```
Minio gateway will automatically look for list of credential styles in following order.
Minio gateway will automatically look for list of credential styles in following order, if your backend URL is AWS S3.
- AWS env vars (i.e. AWS_ACCESS_KEY_ID)
- AWS creds file (i.e. AWS_SHARED_CREDENTIALS_FILE or ~/.aws/credentials)