Merge pull request #26 from offen/instance-profile

Allow s3 authentication via IAM role
offen · Sep 30, 2021 · d7ccdd7 · d7ccdd7
2 parents 6cf5cf4 + bd73a2b
commit d7ccdd7
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -134,6 +134,13 @@ You can populate below template according to your requirements and use it as you
 # AWS_ACCESS_KEY_ID="<xxx>"
 # AWS_SECRET_ACCESS_KEY="<xxx>"
 
+# Instead of providing static credentials, you can also use IAM instance profiles
+# or similar to provide authentication. Some possible configuration options on AWS:
+# - EC2: http://169.254.169.254
+# - ECS: http://169.254.170.2
+
+# AWS_IAM_ROLE_ENDPOINT="http://169.254.169.254"
+
 # This is the FQDN of your storage server, e.g. `storage.example.com`.
 # Do not set this when working against AWS S3 (the default value is 
 # `s3.amazonaws.com`). If you need to set a specific (non-https) protocol, you

diff --git a/cmd/backup/main.go b/cmd/backup/main.go
@@ -100,6 +100,7 @@ type config struct {
 	AwsEndpointInsecure        bool          `split_words:"true"`
 	AwsAccessKeyID             string        `envconfig:"AWS_ACCESS_KEY_ID"`
 	AwsSecretAccessKey         string        `split_words:"true"`
+	AwsIamRoleEndpoint         string        `split_words:"true"`
 	GpgPassphrase              string        `split_words:"true"`
 	EmailNotificationRecipient string        `split_words:"true"`
 	EmailNotificationSender    string        `split_words:"true" default:"noreply@nohost"`
@@ -145,12 +146,21 @@ func newScript() (*script, error) {
 	}
 
 	if s.c.AwsS3BucketName != "" {
-		mc, err := minio.New(s.c.AwsEndpoint, &minio.Options{
-			Creds: credentials.NewStaticV4(
+		var creds *credentials.Credentials
+		if s.c.AwsAccessKeyID != "" && s.c.AwsSecretAccessKey != "" {
+			creds = credentials.NewStaticV4(
 				s.c.AwsAccessKeyID,
 				s.c.AwsSecretAccessKey,
 				"",
-			),
+			)
+		} else if s.c.AwsIamRoleEndpoint != "" {
+			creds = credentials.NewIAM(s.c.AwsIamRoleEndpoint)
+		} else {
+			return nil, errors.New("newScript: AWS_S3_BUCKET_NAME is defined, but no credentials were provided")
+		}
+
+		mc, err := minio.New(s.c.AwsEndpoint, &minio.Options{
+			Creds:  creds,
 			Secure: !s.c.AwsEndpointInsecure && s.c.AwsEndpointProto == "https",
 		})
 		if err != nil {