Enable AWS SDK for go authentication to fix IMDSv1 issue #4897
Conversation
friedrichg
force-pushed
the
allow-aws-sdk-auth
branch
from
71eac96 to
4f4bd2d
Compare
pkg/storage/bucket/s3/config.go
Outdated
| @@ -86,6 +87,7 @@ func (cfg *Config) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) { | |||
| f.BoolVar(&cfg.Insecure, prefix+"s3.insecure", false, "If enabled, use http:// for the S3 endpoint instead of https://. This could be useful in local dev/test environments while using an S3-compatible backend storage, like Minio.") | |||
| f.StringVar(&cfg.SignatureVersion, prefix+"s3.signature-version", SignatureVersionV4, fmt.Sprintf("The signature version to use for authenticating against S3. Supported values are: %s.", strings.Join(supportedSignatureVersions, ", "))) | |||
| f.StringVar(&cfg.BucketLookupType, prefix+"s3.bucket-lookup-type", BucketAutoLookup, fmt.Sprintf("The s3 bucket lookup style. Supported values are: %s.", strings.Join(supportedBucketLookupTypes, ", "))) | |||
| f.BoolVar(&cfg.AWSSDKAuth, prefix+"s3.aws-sdk-auth", false, "If enabled, the client will use default authentication methods of the AWS GO SDK for go based on known environment variables and known AWS config files.") | |||
There was a problem hiding this comment.
default should be true?
If this is false we are changing the behavior as far as i understood?
There was a problem hiding this comment.
I think this is default is false in thanos
There was a problem hiding this comment.
actually, after looking at Thanos' code a bit I am wondering if we should just "hardcode" AWSSDKAuth: true and not to have yet-another-configuration. Let me take a closer look to see if there is any cred resolution strategy that is not covered by AWSSDKAuth before its introduction.
There was a problem hiding this comment.
After reading thanos-io/thanos#4667 and the code I think it's safe to just use AWSSDKAuth: true and don't expose yet-another-config. I am not sure what would be the benefit of using the the cred providers from minio over aws go sdk v2; I think minio didn't use aws sdk to minimize dependencies?
Also, we will need to have some logic to set AWSSDKAuth: false if AccessKeyID is defined; they can't co-exist.
There was a problem hiding this comment.
I agree these options are hard to decide by users and we should try to avoid them. I am happy you jump on this quick :)
But here is the thing: s3 provider in objstore supports AWSSDKAuth: false and AccessKey: "".
this is the code path my configuration was using in AWS and it was just by chance working due to their bug.
This makes no sense to AWS, but it makes sense to minio. Because minio has support for access without AccessKey that sort of works like AWS but doesn't use AWS libraries. See https://min.io/docs/minio/linux/developers/security-token-service.html
So I think the other possible solution to this is to rename our current s3 provider to minio provider and have a native s3 provider that sets AWSSDKAuth: true or even better don't use any minio at all. In that sense, Thanos should also do the same, I think.
I like this option better because it simplifies the use case for AWS and still enables minio.
Let me know what you think @alvinlin123 @alanprot @yeya24
There was a problem hiding this comment.
I think the resolver chain from Thanos at https://github.com/thanos-io/objstore/blob/cec51c61948b0c04b60c035fd372cc83a540881b/providers/s3/s3.go#L231-L242 is a subset of what the AWS SDK does.
In other words, the following cred resolving order implemented in Minio is covered by the AWS SDK; AWS SDK supports assume role with web identity, env var, loading shared profile etc.
chain = []credentials.Provider{
wrapCredentialsProvider(&credentials.EnvAWS{}),
wrapCredentialsProvider(&credentials.FileAWSCredentials{}),
wrapCredentialsProvider(&credentials.IAM{
Client: &http.Client{
Transport: http.DefaultTransport,
},
Endpoint: config.STSEndpoint,
}),
}
So what works previously, AWSSDKAuth: false AccessKeyID:"", should be equivalent to AWSSDKAuth: true AccessKeyID:"" with the current version of Thanos and Minio.
Would you be able give AWSSDKAuth: true AccessKeyID:"" a try and see if it work on some of your test cluster?
There was a problem hiding this comment.
I see. AWS SDK might also do the right thing with minio in all the use cases, even without AccessKey.
Then we can skip this code path completely.
My use case is solved with AWSDKAuth: true, yes. Let me implement the logic you mentioned before about nonempty AccessKey.
alvinlin123
dismissed
their stale review
I have second thought on exposing new config
Signed-off-by: Friedrich Gonzalez <[email protected]>
friedrichg
force-pushed
the
allow-aws-sdk-auth
branch
from
4f4bd2d to
8fe520e
Compare
|
Tested this minio using access_key_id and secret_access_key and see no problem. Click to expand!mini.yml We also have integration tests based on minio. Ready for review |
friedrichg
changed the title
* Backport cortexproject/cortex#4897 to fix IDMSv1 Signed-off-by: Jakub Coufal <[email protected]> * Update CHANGELOG.md Signed-off-by: Jakub Coufal <[email protected]> --------- Signed-off-by: Jakub Coufal <[email protected]>
* Backport cortexproject/cortex#4897 to fix IDMSv1 Signed-off-by: Jakub Coufal <[email protected]> * Update CHANGELOG.md Signed-off-by: Jakub Coufal <[email protected]> --------- Signed-off-by: Jakub Coufal <[email protected]> (cherry picked from commit ba621f6)
* Backport cortexproject/cortex#4897 to fix IDMSv1 Signed-off-by: Jakub Coufal <[email protected]> * Update CHANGELOG.md Signed-off-by: Jakub Coufal <[email protected]> --------- Signed-off-by: Jakub Coufal <[email protected]> (cherry picked from commit ba621f6) Co-authored-by: Jakub Coufal <[email protected]>
What this PR does:
Introduces a boolean flag to enable AWS SDK for go authEnables AWS SDK for go auth
Which issue(s) this PR fixes:
Enable IMDSv1 again #4896 and most likely other use cases
Checklist
CHANGELOG.mdupdated - the order of entries should be[CHANGE],[FEATURE],[ENHANCEMENT],[BUGFIX]