tiering: add aws role support for s3 (#12424)

Signed-off-by: Poorna Krishnamoorthy <poorna@minio.io>
2025-11-10 14:09:48 -05:00 · 2021-06-04 12:47:00 -07:00
parent 36b2f6d11d
commit f199afcd6c
6 changed files with 33 additions and 11 deletions
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@@ -27,6 +27,7 @@ import (
 	"fmt"
 	"math/rand"
 	"net"
+	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -39,6 +40,7 @@ import (
 	dns2 "github.com/miekg/dns"
 	"github.com/minio/cli"
 	"github.com/minio/kes"
+	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/minio/internal/auth"
 	"github.com/minio/minio/internal/config"
@@ -54,6 +56,7 @@ import (

 // serverDebugLog will enable debug printing
 var serverDebugLog = env.Get("_MINIO_SERVER_DEBUG", config.EnableOff) == config.EnableOn
+var defaultAWSCredProvider []credentials.Provider

 func init() {
 	rand.Seed(time.Now().UTC().UnixNano())
@@ -74,7 +77,6 @@ func init() {
 		// safe to assume a higher timeout upto 10 minutes.
 		globalDNSCache = xhttp.NewDNSCache(10*time.Minute, 5*time.Second, logger.LogOnceIf)
 	}
-
 	initGlobalContext()

 	globalForwarder = handlers.NewForwarder(&handlers.Forwarder{
@@ -92,6 +94,14 @@ func init() {
 	console.SetColor("Debug", color.New())

 	gob.Register(StorageErr(""))
+
+	defaultAWSCredProvider = []credentials.Provider{
+		&credentials.IAM{
+			Client: &http.Client{
+				Transport: NewGatewayHTTPTransport(),
+			},
+		},
+	}
 }

 func verifyObjectLayerFeatures(name string, objAPI ObjectLayer) {
--- a/cmd/tier.go
+++ b/cmd/tier.go
@@ -144,12 +144,16 @@ func (config *TierConfigMgr) Edit(ctx context.Context, tierName string, creds ma
 	newCfg := config.Tiers[tierName]
 	switch tierType {
 	case madmin.S3:
-		if creds.AccessKey == "" || creds.SecretKey == "" {
+		if (creds.AccessKey == "" || creds.SecretKey == "") && !creds.AWSRole {
 			return errTierInsufficientCreds
 		}
-		newCfg.S3.AccessKey = creds.AccessKey
-		newCfg.S3.SecretKey = creds.SecretKey
-
+		switch {
+		case creds.AWSRole:
+			newCfg.S3.AWSRole = true
+		default:
+			newCfg.S3.AccessKey = creds.AccessKey
+			newCfg.S3.SecretKey = creds.SecretKey
+		}
 	case madmin.Azure:
 		if creds.AccessKey == "" || creds.SecretKey == "" {
 			return errTierInsufficientCreds
--- a/cmd/warm-backend-s3.go
+++ b/cmd/warm-backend-s3.go
@@ -106,7 +106,12 @@ func newWarmBackendS3(conf madmin.TierS3) (*warmBackendS3, error) {
 	if err != nil {
 		return nil, err
 	}
-	creds := credentials.NewStaticV4(conf.AccessKey, conf.SecretKey, "")
+	var creds *credentials.Credentials
+	if conf.AWSRole {
+		creds = credentials.NewChainCredentials(defaultAWSCredProvider)
+	} else {
+		creds = credentials.NewStaticV4(conf.AccessKey, conf.SecretKey, "")
+	}
 	getRemoteTargetInstanceTransportOnce.Do(func() {
 		getRemoteTargetInstanceTransport = newGatewayHTTPTransport(10 * time.Minute)
 	})