From e85ab19ed0895b09e7fd678cc192d1a2e4f3e748 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Mon, 30 Oct 2023 10:18:13 -0700 Subject: [PATCH] add support for AWS AssumeRole with web identity file with tiering This mainly allows - Operator STS https://github.com/minio/operator/blob/master/docs/STS.md - AWS WebIdentityToken file approach used in EKS clusters https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html --- tier-s3.go | 51 +++++++++++++++++------ tier-s3_gen.go | 111 +++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 132 insertions(+), 30 deletions(-) diff --git a/tier-s3.go b/tier-s3.go index 06c2a8c7..231dec40 100644 --- a/tier-s3.go +++ b/tier-s3.go @@ -1,5 +1,5 @@ // -// Copyright (c) 2015-2022 MinIO, Inc. +// Copyright (c) 2015-2023 MinIO, Inc. // // This file is part of MinIO Object Storage stack // @@ -23,14 +23,17 @@ package madmin // TierS3 represents the remote tier configuration for AWS S3 compatible backend. type TierS3 struct { - Endpoint string `json:",omitempty"` - AccessKey string `json:",omitempty"` - SecretKey string `json:",omitempty"` - Bucket string `json:",omitempty"` - Prefix string `json:",omitempty"` - Region string `json:",omitempty"` - StorageClass string `json:",omitempty"` - AWSRole bool `json:",omitempty"` + Endpoint string `json:",omitempty"` + AccessKey string `json:",omitempty"` + SecretKey string `json:",omitempty"` + Bucket string `json:",omitempty"` + Prefix string `json:",omitempty"` + Region string `json:",omitempty"` + StorageClass string `json:",omitempty"` + AWSRoleWebIdentityTokenFile string `json:",omitempty"` + AWSRoleARN string `json:",omitempty"` + AWSRoleSessionName string `json:",omitempty"` + AWSRoleDurationSeconds int `json:",omitempty"` } // S3Options supports NewTierS3 to take variadic options @@ -68,10 +71,34 @@ func S3StorageClass(storageClass string) func(s3 *TierS3) error { } } -// S3AWSRole helper to use optional AWS Role to NewTierS3 -func S3AWSRole() func(s3 *TierS3) error { +// S3AWSRoleWebIdentityTokenFile helper to use optional AWS Role token file to NewTierS3 +func S3AWSRoleWebIdentityTokenFile(tokenFile string) func(s3 *TierS3) error { return func(s3 *TierS3) error { - s3.AWSRole = true + s3.AWSRoleWebIdentityTokenFile = tokenFile + return nil + } +} + +// S3AWSRoleARN helper to use optional AWS RoleARN to NewTierS3 +func S3AWSRoleARN(roleARN string) func(s3 *TierS3) error { + return func(s3 *TierS3) error { + s3.AWSRoleARN = roleARN + return nil + } +} + +// S3AWSRoleSessionName helper to use optional AWS RoleSessionName to NewTierS3 +func S3AWSRoleSessionName(roleSessionName string) func(s3 *TierS3) error { + return func(s3 *TierS3) error { + s3.AWSRoleSessionName = roleSessionName + return nil + } +} + +// S3AWSRoleDurationSeconds helper to use optional token duration to NewTierS3 +func S3AWSRoleDurationSeconds(dsecs int) func(s3 *TierS3) error { + return func(s3 *TierS3) error { + s3.AWSRoleDurationSeconds = dsecs return nil } } diff --git a/tier-s3_gen.go b/tier-s3_gen.go index 420b3480..46bdf12a 100644 --- a/tier-s3_gen.go +++ b/tier-s3_gen.go @@ -66,10 +66,28 @@ func (z *TierS3) DecodeMsg(dc *msgp.Reader) (err error) { err = msgp.WrapError(err, "StorageClass") return } - case "AWSRole": - z.AWSRole, err = dc.ReadBool() + case "AWSRoleWebIdentityTokenFile": + z.AWSRoleWebIdentityTokenFile, err = dc.ReadString() if err != nil { - err = msgp.WrapError(err, "AWSRole") + err = msgp.WrapError(err, "AWSRoleWebIdentityTokenFile") + return + } + case "AWSRoleARN": + z.AWSRoleARN, err = dc.ReadString() + if err != nil { + err = msgp.WrapError(err, "AWSRoleARN") + return + } + case "AWSRoleSessionName": + z.AWSRoleSessionName, err = dc.ReadString() + if err != nil { + err = msgp.WrapError(err, "AWSRoleSessionName") + return + } + case "AWSRoleDurationSeconds": + z.AWSRoleDurationSeconds, err = dc.ReadInt() + if err != nil { + err = msgp.WrapError(err, "AWSRoleDurationSeconds") return } default: @@ -85,9 +103,9 @@ func (z *TierS3) DecodeMsg(dc *msgp.Reader) (err error) { // EncodeMsg implements msgp.Encodable func (z *TierS3) EncodeMsg(en *msgp.Writer) (err error) { - // map header, size 8 + // map header, size 11 // write "Endpoint" - err = en.Append(0x88, 0xa8, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74) + err = en.Append(0x8b, 0xa8, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74) if err != nil { return } @@ -156,14 +174,44 @@ func (z *TierS3) EncodeMsg(en *msgp.Writer) (err error) { err = msgp.WrapError(err, "StorageClass") return } - // write "AWSRole" - err = en.Append(0xa7, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65) + // write "AWSRoleWebIdentityTokenFile" + err = en.Append(0xbb, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x57, 0x65, 0x62, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x46, 0x69, 0x6c, 0x65) + if err != nil { + return + } + err = en.WriteString(z.AWSRoleWebIdentityTokenFile) + if err != nil { + err = msgp.WrapError(err, "AWSRoleWebIdentityTokenFile") + return + } + // write "AWSRoleARN" + err = en.Append(0xaa, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x52, 0x4e) + if err != nil { + return + } + err = en.WriteString(z.AWSRoleARN) if err != nil { + err = msgp.WrapError(err, "AWSRoleARN") return } - err = en.WriteBool(z.AWSRole) + // write "AWSRoleSessionName" + err = en.Append(0xb2, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65) if err != nil { - err = msgp.WrapError(err, "AWSRole") + return + } + err = en.WriteString(z.AWSRoleSessionName) + if err != nil { + err = msgp.WrapError(err, "AWSRoleSessionName") + return + } + // write "AWSRoleDurationSeconds" + err = en.Append(0xb6, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73) + if err != nil { + return + } + err = en.WriteInt(z.AWSRoleDurationSeconds) + if err != nil { + err = msgp.WrapError(err, "AWSRoleDurationSeconds") return } return @@ -172,9 +220,9 @@ func (z *TierS3) EncodeMsg(en *msgp.Writer) (err error) { // MarshalMsg implements msgp.Marshaler func (z *TierS3) MarshalMsg(b []byte) (o []byte, err error) { o = msgp.Require(b, z.Msgsize()) - // map header, size 8 + // map header, size 11 // string "Endpoint" - o = append(o, 0x88, 0xa8, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74) + o = append(o, 0x8b, 0xa8, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74) o = msgp.AppendString(o, z.Endpoint) // string "AccessKey" o = append(o, 0xa9, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4b, 0x65, 0x79) @@ -194,9 +242,18 @@ func (z *TierS3) MarshalMsg(b []byte) (o []byte, err error) { // string "StorageClass" o = append(o, 0xac, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x43, 0x6c, 0x61, 0x73, 0x73) o = msgp.AppendString(o, z.StorageClass) - // string "AWSRole" - o = append(o, 0xa7, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65) - o = msgp.AppendBool(o, z.AWSRole) + // string "AWSRoleWebIdentityTokenFile" + o = append(o, 0xbb, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x57, 0x65, 0x62, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x46, 0x69, 0x6c, 0x65) + o = msgp.AppendString(o, z.AWSRoleWebIdentityTokenFile) + // string "AWSRoleARN" + o = append(o, 0xaa, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x52, 0x4e) + o = msgp.AppendString(o, z.AWSRoleARN) + // string "AWSRoleSessionName" + o = append(o, 0xb2, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65) + o = msgp.AppendString(o, z.AWSRoleSessionName) + // string "AWSRoleDurationSeconds" + o = append(o, 0xb6, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73) + o = msgp.AppendInt(o, z.AWSRoleDurationSeconds) return } @@ -260,10 +317,28 @@ func (z *TierS3) UnmarshalMsg(bts []byte) (o []byte, err error) { err = msgp.WrapError(err, "StorageClass") return } - case "AWSRole": - z.AWSRole, bts, err = msgp.ReadBoolBytes(bts) + case "AWSRoleWebIdentityTokenFile": + z.AWSRoleWebIdentityTokenFile, bts, err = msgp.ReadStringBytes(bts) + if err != nil { + err = msgp.WrapError(err, "AWSRoleWebIdentityTokenFile") + return + } + case "AWSRoleARN": + z.AWSRoleARN, bts, err = msgp.ReadStringBytes(bts) + if err != nil { + err = msgp.WrapError(err, "AWSRoleARN") + return + } + case "AWSRoleSessionName": + z.AWSRoleSessionName, bts, err = msgp.ReadStringBytes(bts) + if err != nil { + err = msgp.WrapError(err, "AWSRoleSessionName") + return + } + case "AWSRoleDurationSeconds": + z.AWSRoleDurationSeconds, bts, err = msgp.ReadIntBytes(bts) if err != nil { - err = msgp.WrapError(err, "AWSRole") + err = msgp.WrapError(err, "AWSRoleDurationSeconds") return } default: @@ -280,6 +355,6 @@ func (z *TierS3) UnmarshalMsg(bts []byte) (o []byte, err error) { // Msgsize returns an upper bound estimate of the number of bytes occupied by the serialized message func (z *TierS3) Msgsize() (s int) { - s = 1 + 9 + msgp.StringPrefixSize + len(z.Endpoint) + 10 + msgp.StringPrefixSize + len(z.AccessKey) + 10 + msgp.StringPrefixSize + len(z.SecretKey) + 7 + msgp.StringPrefixSize + len(z.Bucket) + 7 + msgp.StringPrefixSize + len(z.Prefix) + 7 + msgp.StringPrefixSize + len(z.Region) + 13 + msgp.StringPrefixSize + len(z.StorageClass) + 8 + msgp.BoolSize + s = 1 + 9 + msgp.StringPrefixSize + len(z.Endpoint) + 10 + msgp.StringPrefixSize + len(z.AccessKey) + 10 + msgp.StringPrefixSize + len(z.SecretKey) + 7 + msgp.StringPrefixSize + len(z.Bucket) + 7 + msgp.StringPrefixSize + len(z.Prefix) + 7 + msgp.StringPrefixSize + len(z.Region) + 13 + msgp.StringPrefixSize + len(z.StorageClass) + 28 + msgp.StringPrefixSize + len(z.AWSRoleWebIdentityTokenFile) + 11 + msgp.StringPrefixSize + len(z.AWSRoleARN) + 19 + msgp.StringPrefixSize + len(z.AWSRoleSessionName) + 23 + msgp.IntSize return }