Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for IAM proxies for S3 #1484

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
7 changes: 7 additions & 0 deletions charts/athens-proxy/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ spec:
checksum/upstream: {{ include (print $.Template.BasePath "/config-upstream.yaml") . | sha256sum }}
checksum/ssh-config: {{ include (print $.Template.BasePath "/config-ssh-git-servers.yaml") . | sha256sum }}
checksum/ssh-secret: {{ include (print $.Template.BasePath "/secret-ssh-git-servers.yaml") . | sha256sum }}
{{- if .Values.storage.s3.iamRole }}
iam.amazonaws.com/role: {{ .Values.storage.s3.iamRole | quote }
{{- end }}
{{- if .Values.annotations }}
{{ toYaml .Values.annotations | indent 8 }}
{{- end }}
Expand Down Expand Up @@ -109,6 +112,10 @@ spec:
- name: ATHENS_STORAGE_GCP_JSON_KEY
value: {{ .Values.storage.gcp.serviceAccount | b64enc | quote }}
{{- end }}
{{- if .Values.storage.s3.use_iam_proxy }}
- name: AWS_USE_IAM_PROXY
value: {{ .Values.storage.s3.use_iam_proxy | quote }}
{{- end }}
{{- else if eq .Values.storage.type "minio" }}
{{- if .Values.storage.minio.endpoint }}
- name: ATHENS_MINIO_ENDPOINT
Expand Down
3 changes: 2 additions & 1 deletion pkg/config/s3.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,6 @@ type S3Config struct {
ForcePathStyle bool `envconfig:"AWS_FORCE_PATH_STYLE"`
CredentialsEndpoint string `envconfig:"AWS_CREDENTIALS_ENDPOINT"`
AwsContainerCredentialsRelativeURI string `envconfig:"AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"`
Endpoint string `envconfig:"AWS_ENDPOINT"`
Endpoint string `evnconfig:"AWS_ENDPOINT"`
UseIAMProxy bool `envconfig:"AWS_USE_IAM_PROXY"`
}
56 changes: 33 additions & 23 deletions pkg/storage/s3/s3.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,34 +35,44 @@ type Storage struct {
func New(s3Conf *config.S3Config, timeout time.Duration, options ...func(*aws.Config)) (*Storage, error) {
const op errors.Op = "s3.New"

awsConfig := defaults.Config()
awsConfig.Region = aws.String(s3Conf.Region)
for _, o := range options {
o(awsConfig)
}
var awsConfig *aws.Config
if s3Conf.UseIAMProxy {
// if set to use an IAM proxy (like KIAM), Credentials aren't set up in the environment where Athens is running
// but are instead attached to aws requests via a proxy, typically running as a sidecar.

// To use the IAM proxy, we don't need to set the config (except for the region) as all other AWS settings are
// inherited from the proxy
awsConfig = aws.NewConfig().WithRegion(s3Conf.Region)
} else {
awsConfig = defaults.Config()
awsConfig.Region = aws.String(s3Conf.Region)
for _, o := range options {
o(awsConfig)
}

credProviders := defaults.CredProviders(awsConfig, defaults.Handlers())
credProviders := defaults.CredProviders(awsConfig, defaults.Handlers())

if !s3Conf.UseDefaultConfiguration {
endpointcreds := []credentials.Provider{
endpointcreds.NewProviderClient(*awsConfig, defaults.Handlers(), endpointFrom(s3Conf.CredentialsEndpoint, s3Conf.AwsContainerCredentialsRelativeURI)),
&credentials.StaticProvider{
Value: credentials.Value{
AccessKeyID: s3Conf.Key,
SecretAccessKey: s3Conf.Secret,
SessionToken: s3Conf.Token,
if !s3Conf.UseDefaultConfiguration {
endpointcreds := []credentials.Provider{
endpointcreds.NewProviderClient(*awsConfig, defaults.Handlers(), endpointFrom(s3Conf.CredentialsEndpoint, s3Conf.AwsContainerCredentialsRelativeURI)),
&credentials.StaticProvider{
Value: credentials.Value{
AccessKeyID: s3Conf.Key,
SecretAccessKey: s3Conf.Secret,
SessionToken: s3Conf.Token,
},
},
},
}
}

credProviders = append(endpointcreds, credProviders...)
}
credProviders = append(endpointcreds, credProviders...)
}

awsConfig.S3ForcePathStyle = aws.Bool(s3Conf.ForcePathStyle)
awsConfig.Credentials = credentials.NewChainCredentials(credProviders)
awsConfig.CredentialsChainVerboseErrors = aws.Bool(true)
if s3Conf.Endpoint != "" {
awsConfig.Endpoint = aws.String(s3Conf.Endpoint)
awsConfig.S3ForcePathStyle = aws.Bool(s3Conf.ForcePathStyle)
awsConfig.Credentials = credentials.NewChainCredentials(credProviders)
awsConfig.CredentialsChainVerboseErrors = aws.Bool(true)
if s3Conf.Endpoint != "" {
awsConfig.Endpoint = aws.String(s3Conf.Endpoint)
}
}

// create a session with creds
Expand Down