Skip to content

Commit

Permalink
add session token without IAM policy
Browse files Browse the repository at this point in the history 
fix: doc of getting started with session token
fix: temporary session token
fix: find session token in  the env variables
fix: add S3_SESSION_TOKEN in the docker-entrypoind.d
fix: docs of getting started with session token

fix: check if session token presents
  • Loading branch information
@shawnhankim @dekobon
shawnhankim authored and dekobon committed Mar 2, 2023
1 parent 554af8d commit ad5fe25
Show file tree
Hide file tree
Showing 8 changed files with 31 additions and 9 deletions.
4 changes: 4 additions & 0 deletions common/docker-entrypoint.d/00-check-for-required-env.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,10 @@ else
required+=("S3_ACCESS_KEY_ID" "S3_SECRET_KEY")
fi

if [[ -v S3_SESSION_TOKEN ]]; then
echo "S3 Session token present"
fi

for name in ${required[@]}; do
if [[ ! -v name ]]; then
>&2 echo "Required ${name} environment variable missing"
Expand Down
6 changes: 4 additions & 2 deletions common/etc/nginx/include/s3gateway.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,11 +236,13 @@ function _writeCredentialsToFile(credentials) {
* @returns {undefined|{accessKeyId: (string), secretAccessKey: (string), sessionToken: (string|null), expiration: (string|null)}} AWS instance profile credentials or undefined
*/
function readCredentials(r) {
if (process.env['S3_ACCESS_KEY_ID'] && process.env['S3_SECRET_KEY']) {
if ('S3_ACCESS_KEY_ID' in process.env && 'S3_SECRET_KEY' in process.env) {
const sessionToken = 'S3_SESSION_TOKEN' in process.env ?
process.env['S3_SESSION_TOKEN'] : null;
return {
accessKeyId: process.env['S3_ACCESS_KEY_ID'],
secretAccessKey: process.env['S3_SECRET_KEY'],
sessionToken: null,
sessionToken: sessionToken,
expiration: null
};
}
Expand Down
1 change: 1 addition & 0 deletions common/etc/nginx/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ load_module modules/ngx_http_xslt_filter_module.so;
# Preserve S3 environment variables for worker threads
env S3_ACCESS_KEY_ID;
env S3_SECRET_KEY;
env S3_SESSION_TOKEN;
env S3_BUCKET_NAME;
env S3_SERVER;
env S3_SERVER_PORT;
Expand Down
13 changes: 7 additions & 6 deletions docs/getting_started.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ running as a Container or as a Systemd service.
| `AWS_SIGS_VERSION` | Yes | 2, 4 | | AWS Signatures API version |
| `S3_ACCESS_KEY_ID` | Yes | | | Access key |
| `S3_SECRET_KEY` | Yes | | | Secret access key |
| `S3_SESSION_TOKEN` | No | | | Session token. |
| `S3_BUCKET_NAME` | Yes | | | Name of S3 bucket to proxy requests to |
| `S3_REGION` | Yes | | | Region associated with API |
| `S3_SERVER_PORT` | Yes | | | SSL/TLS port to connect to |
Expand All @@ -39,7 +40,7 @@ running as a Container or as a Systemd service.


If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html),
you will need to omit the `S3_ACCESS_KEY_ID` and `S3_SECRET_KEY` variables from
you will need to omit the `S3_ACCESS_KEY_ID`, `S3_SECRET_KEY` and `S3_SESSION_TOKEN` variables from
the configuration.

When running with Docker, the above environment variables can be set in a file
Expand Down Expand Up @@ -210,8 +211,8 @@ docker run --env-file ./settings --publish 80:80 --name nginx-plus-s3-gateway \
allow you to assign a role to a compute so that other AWS services can trust
the instance without having to store authentication keys in the compute
instance. This is useful for the gateway because it allows us to run the
gateway without storing an unchanging `S3_ACCESS_KEY_ID` and `S3_SECRET_KEY`
in a file on disk or in an easily read environment variable.
gateway without storing an unchanging `S3_ACCESS_KEY_ID`, `S3_SECRET_KEY` and
`S3_SESSION_TOKEN` in a file on disk or in an easily read environment variable.

Instance profiles work by providing credentials to the instance via the
[AWS Metadata API](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html).
Expand All @@ -224,7 +225,7 @@ Following the [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/User
we can create a IAM role and launch an instance associated with it. On that
instance, if we run the gateway as a Systemd service there are no additional
steps. We just run the install script without specifying the
`S3_ACCESS_KEY_ID` and `S3_SECRET_KEY` environment variables.
`S3_ACCESS_KEY_ID`, `S3_SECRET_KEY` and `S3_SESSION_TOKEN` environment variables.

However, if we want to run the gateway as a container instance on that
EC2 instance, then we will need to run the following command using the AWS
Expand All @@ -236,7 +237,7 @@ aws ec2 modify-instance-metadata-options --instance-id <instance id> \
```

After that has been run we can start the container normally and omit the
`S3_ACCESS_KEY_ID` and `S3_SECRET_KEY` environment variables.
`S3_ACCESS_KEY_ID`, `S3_SECRET_KEY` and `S3_SESSION_TOKEN` environment variables.

### Running in ECS with an IAM Policy

Expand Down Expand Up @@ -370,4 +371,4 @@ error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 4
```

### Error `403 Access Denied` for AWS Accounts with MFA Enabled
The REST authentication method used in this container does not work with AWS IAM roles that have MFA enabled for authentication. Please use AWS IAM role credentials that do not have MFA enabled.
The REST authentication method used in this container does not work with AWS IAM roles that have MFA enabled for authentication. Please use AWS IAM role credentials that do not have MFA enabled.
1 change: 1 addition & 0 deletions settings.example
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
S3_BUCKET_NAME=my-bucket
S3_ACCESS_KEY_ID=ZZZZZZZZZZZZZZZZZZZZ
S3_SECRET_KEY=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
S3_SESSION_TOKEN=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
S3_SERVER=s3-us-east-1.amazonaws.com
S3_SERVER_PORT=443
S3_SERVER_PROTO=https
Expand Down
7 changes: 7 additions & 0 deletions standalone_ubuntu_oss_install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ else
uses_iam_creds=0
fi

if [[ -v S3_SESSION_TOKEN ]]; then
echo "S3 Session token present"
fi

for name in ${required[@]}; do
if [ -z ${!name+x} ]; then
>&2 echo "Required ${name} environment variable missing"
Expand Down Expand Up @@ -182,6 +186,8 @@ if [ $uses_iam_creds -eq 0 ]; then
S3_ACCESS_KEY_ID=${S3_ACCESS_KEY_ID}
# AWS Secret access key
S3_SECRET_KEY=${S3_SECRET_KEY}
# AWS Session Token
S3_SESSION_TOKEN=${S3_SESSION_TOKEN}
EOF
fi

Expand Down Expand Up @@ -281,6 +287,7 @@ if [ $uses_iam_creds -eq 0 ]; then
cat >> "/etc/nginx/environment" << EOF
env S3_ACCESS_KEY_ID;
env S3_SECRET_KEY;
env S3_SESSION_TOKEN;
EOF
fi

Expand Down
1 change: 1 addition & 0 deletions test.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,7 @@ MSYS_NO_PATHCONV=1 "${docker_cmd}" run \
-e "S3_STYLE=virtual" \
-e "S3_ACCESS_KEY_ID=unit_test" \
-e "S3_SECRET_KEY=unit_test" \
-e "S3_SESSION_TOKEN=unit_test" \
-e "S3_BUCKET_NAME=unit_test" \
-e "S3_SERVER=unit_test" \
-e "S3_SERVER_PROTO=https" \
Expand Down
7 changes: 6 additions & 1 deletion test/unit/s3gateway_test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,7 @@ function testReadCredentialsWithAccessAndSecretKeySet() {
let r = {};
process.env['S3_ACCESS_KEY_ID'] = 'SOME_ACCESS_KEY';
process.env['S3_SECRET_KEY'] = 'SOME_SECRET_KEY';
process.env['S3_SESSION_TOKEN'] = 'SOME_SESSION_TOKEN';

try {
var credentials = s3gateway.readCredentials(r);
Expand All @@ -382,7 +383,7 @@ function testReadCredentialsWithAccessAndSecretKeySet() {
if (credentials.secretAccessKey !== process.env['S3_SECRET_KEY']) {
throw 'static credentials do not match returned value [secretAccessKey]';
}
if (credentials.sessionToken !== null) {
if (credentials.sessionToken !== process.env['S3_SESSION_TOKEN']) {
throw 'static credentials do not match returned value [sessionToken]';
}
if (credentials.expiration !== null) {
Expand All @@ -392,6 +393,7 @@ function testReadCredentialsWithAccessAndSecretKeySet() {
} finally {
delete process.env.S3_ACCESS_KEY_ID;
delete process.env.S3_SECRET_KEY;
delete process.env.S3_SESSION_TOKEN;
}
}

Expand Down Expand Up @@ -471,8 +473,10 @@ function testReadAndWriteCredentialsFromKeyValStore() {

let accessKeyId = process.env['S3_ACCESS_KEY_ID'];
let secretKey = process.env['S3_SECRET_KEY'];
let sessionToken = process.env['S3_SESSION_TOKEN'];
delete process.env.S3_ACCESS_KEY_ID;
delete process.env.S3_SECRET_KEY;
delete process.env.S3_SESSION_TOKEN

try {
let r = {
Expand Down Expand Up @@ -500,6 +504,7 @@ function testReadAndWriteCredentialsFromKeyValStore() {
} finally {
process.env['S3_ACCESS_KEY_ID'] = accessKeyId;
process.env['S3_SECRET_KEY'] = secretKey;
process.env['S3_SESSION_TOKEN'] = sessionToken;
}
}

Expand Down

0 comments on commit ad5fe25

Please sign in to comment.