From bd73a2b5e47f6397e4953a3de6bc475c8864efa9 Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Thu, 30 Sep 2021 19:24:43 +0200 Subject: [PATCH] allow s3 authentication via IAM role --- README.md | 7 +++++++ cmd/backup/main.go | 16 +++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 21176479..20dacc18 100644 --- a/README.md +++ b/README.md @@ -134,6 +134,13 @@ You can populate below template according to your requirements and use it as you # AWS_ACCESS_KEY_ID="" # AWS_SECRET_ACCESS_KEY="" +# Instead of providing static credentials, you can also use IAM instance profiles +# or similar to provide authentication. Some possible configuration options on AWS: +# - EC2: http://169.254.169.254 +# - ECS: http://169.254.170.2 + +# AWS_IAM_ROLE_ENDPOINT="http://169.254.169.254" + # This is the FQDN of your storage server, e.g. `storage.example.com`. # Do not set this when working against AWS S3 (the default value is # `s3.amazonaws.com`). If you need to set a specific (non-https) protocol, you diff --git a/cmd/backup/main.go b/cmd/backup/main.go index bbc5fbea..3309a721 100644 --- a/cmd/backup/main.go +++ b/cmd/backup/main.go @@ -100,6 +100,7 @@ type config struct { AwsEndpointInsecure bool `split_words:"true"` AwsAccessKeyID string `envconfig:"AWS_ACCESS_KEY_ID"` AwsSecretAccessKey string `split_words:"true"` + AwsIamRoleEndpoint string `split_words:"true"` GpgPassphrase string `split_words:"true"` EmailNotificationRecipient string `split_words:"true"` EmailNotificationSender string `split_words:"true" default:"noreply@nohost"` @@ -145,12 +146,21 @@ func newScript() (*script, error) { } if s.c.AwsS3BucketName != "" { - mc, err := minio.New(s.c.AwsEndpoint, &minio.Options{ - Creds: credentials.NewStaticV4( + var creds *credentials.Credentials + if s.c.AwsAccessKeyID != "" && s.c.AwsSecretAccessKey != "" { + creds = credentials.NewStaticV4( s.c.AwsAccessKeyID, s.c.AwsSecretAccessKey, "", - ), + ) + } else if s.c.AwsIamRoleEndpoint != "" { + creds = credentials.NewIAM(s.c.AwsIamRoleEndpoint) + } else { + return nil, errors.New("newScript: AWS_S3_BUCKET_NAME is defined, but no credentials were provided") + } + + mc, err := minio.New(s.c.AwsEndpoint, &minio.Options{ + Creds: creds, Secure: !s.c.AwsEndpointInsecure && s.c.AwsEndpointProto == "https", }) if err != nil {