UPSTREAM: docker/distribution: 3296: allow pointing to an AWS config …

…file as a parameter for the s3 driver Recognize a new parameter when setting up the AWS client so that a generic AWS config file can be used instead of having to specify AWS access and secret keys. This should allow someone to use different authentication methods beyond just access key, secret key (and optionally session token). Using the current supported auth methods a valid file would look like: ``` [default] aws_access_key_id = AKMYAWSACCCESSKEYID aws_secret_access_key = myawssecretaccesskey ``` But you can also specify alternative auth methods: ``` [default] role_arn = arn:aws:iam:ACCOUNT_NUM:role/ROLE_NAME web_identity_token_file = /path/to/token ``` Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
migtools · Jul 11, 2023 · 9388c2b · 9388c2b
1 parent aa6c4b2
commit 9388c2b
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 21 deletions.
diff --git a/registry/storage/driver/s3-aws/s3.go b/registry/storage/driver/s3-aws/s3.go
@@ -118,6 +118,7 @@ type DriverParameters struct {
 	SessionToken                string
 	UseDualStack                bool
 	Accelerate                  bool
+	CredentialsConfigPath       string
 }
 
 func init() {
@@ -197,6 +198,11 @@ func FromParameters(parameters map[string]interface{}) (*Driver, error) {
 		secretKey = ""
 	}
 
+	credentialsConfigPath := parameters["credentialsconfigpath"]
+	if credentialsConfigPath == nil {
+		credentialsConfigPath = ""
+	}
+
 	regionEndpoint := parameters["regionendpoint"]
 	if regionEndpoint == nil {
 		regionEndpoint = ""
@@ -460,6 +466,7 @@ func FromParameters(parameters map[string]interface{}) (*Driver, error) {
 		fmt.Sprint(sessionToken),
 		useDualStackBool,
 		accelerateBool,
+		fmt.Sprint(credentialsConfigPath),
 	}
 
 	return New(params)
@@ -503,6 +510,12 @@ func New(params DriverParameters) (*Driver, error) {
 		return nil, fmt.Errorf("on Amazon S3 this storage driver can only be used with v4 authentication")
 	}
 
+	// Makes no sense to provide access/secret key and the location of a
+	// config file with credentials.
+	if (params.AccessKey != "" || params.SecretKey != "") && params.CredentialsConfigPath != "" {
+		return nil, fmt.Errorf("cannot set both access/secret key and credentials file path")
+	}
+
 	awsConfig := aws.NewConfig()
 
 	if params.AccessKey != "" && params.SecretKey != "" {
@@ -522,9 +535,7 @@ func New(params DriverParameters) (*Driver, error) {
 	awsConfig.WithS3UseAccelerate(params.Accelerate)
 	awsConfig.WithRegion(params.Region)
 	awsConfig.WithDisableSSL(!params.Secure)
-	if params.UseDualStack {
-		awsConfig.UseDualStackEndpoint = endpoints.DualStackEndpointStateEnabled
-	}
+	awsConfig.WithUseDualStack(params.UseDualStack)
 
 	if params.UserAgent != "" || params.SkipVerify {
 		httpTransport := http.DefaultTransport
@@ -544,7 +555,16 @@ func New(params DriverParameters) (*Driver, error) {
 		}
 	}
 
-	sess, err := session.NewSession(awsConfig)
+	sessionOptions := session.Options{
+		Config: *awsConfig,
+	}
+	if params.CredentialsConfigPath != "" {
+		sessionOptions.SharedConfigState = session.SharedConfigEnable
+		sessionOptions.SharedConfigFiles = []string{
+			params.CredentialsConfigPath,
+		}
+	}
+	sess, err := session.NewSessionWithOptions(sessionOptions)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create new session with aws config: %v", err)
 	}

diff --git a/registry/storage/driver/s3-aws/s3_test.go b/registry/storage/driver/s3-aws/s3_test.go
@@ -31,23 +31,27 @@ var s3DriverConstructor func(rootDirectory, storageClass string) (*Driver, error
 var skipS3 func() string
 
 func init() {
-	accessKey := os.Getenv("AWS_ACCESS_KEY")
-	secretKey := os.Getenv("AWS_SECRET_KEY")
-	bucket := os.Getenv("S3_BUCKET")
-	encrypt := os.Getenv("S3_ENCRYPT")
-	keyID := os.Getenv("S3_KEY_ID")
-	secure := os.Getenv("S3_SECURE")
-	skipVerify := os.Getenv("S3_SKIP_VERIFY")
-	v4Auth := os.Getenv("S3_V4_AUTH")
-	region := os.Getenv("AWS_REGION")
-	objectACL := os.Getenv("S3_OBJECT_ACL")
-	root, err := ioutil.TempDir("", "driver-")
-	regionEndpoint := os.Getenv("REGION_ENDPOINT")
-	forcePathStyle := os.Getenv("AWS_S3_FORCE_PATH_STYLE")
-	sessionToken := os.Getenv("AWS_SESSION_TOKEN")
-	useDualStack := os.Getenv("S3_USE_DUALSTACK")
-	combineSmallPart := os.Getenv("MULTIPART_COMBINE_SMALL_PART")
-	accelerate := os.Getenv("S3_ACCELERATE")
+	var (
+		accessKey             = os.Getenv("AWS_ACCESS_KEY")
+		secretKey             = os.Getenv("AWS_SECRET_KEY")
+		bucket                = os.Getenv("S3_BUCKET")
+		encrypt               = os.Getenv("S3_ENCRYPT")
+		keyID                 = os.Getenv("S3_KEY_ID")
+		secure                = os.Getenv("S3_SECURE")
+		skipVerify            = os.Getenv("S3_SKIP_VERIFY")
+		v4Auth                = os.Getenv("S3_V4_AUTH")
+		region                = os.Getenv("AWS_REGION")
+		objectACL             = os.Getenv("S3_OBJECT_ACL")
+		regionEndpoint        = os.Getenv("REGION_ENDPOINT")
+		forcePathStyle        = os.Getenv("AWS_S3_FORCE_PATH_STYLE")
+		sessionToken          = os.Getenv("AWS_SESSION_TOKEN")
+		useDualStack          = os.Getenv("S3_USE_DUALSTACK")
+		combineSmallPart      = os.Getenv("MULTIPART_COMBINE_SMALL_PART")
+		accelerate            = os.Getenv("S3_ACCELERATE")
+		credentialsConfigPath = os.Getenv("AWS_SHARED_CREDENTIALS_FILE")
+	)
+
+	root, err := os.MkdirTemp("", "driver-")
 	if err != nil {
 		panic(err)
 	}
@@ -138,6 +142,7 @@ func init() {
 			sessionToken,
 			useDualStackBool,
 			accelerateBool,
+			credentialsConfigPath,
 		}
 
 		return New(parameters)