From f4fb363fbb503d2abeea44ca7008100efd7469bd Mon Sep 17 00:00:00 2001
From: Jakub Coufal <jakub.coufal@jamf.com>
Date: Fri, 4 Aug 2023 16:56:47 +0200
Subject: [PATCH] Backport https://github.com/cortexproject/cortex/pull/4897 to
 fix IDMSv1 (#2760)

* Backport https://github.com/cortexproject/cortex/pull/4897 to fix IDMSv1

Signed-off-by: Jakub Coufal <jakub.coufal@jamf.com>

* Update CHANGELOG.md

Signed-off-by: Jakub Coufal <jakub.coufal@jamf.com>

---------

Signed-off-by: Jakub Coufal <jakub.coufal@jamf.com>
(cherry picked from commit ba621f626506f986e2c76cc379e6af56660891f4)
---
 tempodb/backend/s3/awssdkauth.go | 40 ++++++++++++++++++++++++++++++++
 tempodb/backend/s3/s3.go         |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 tempodb/backend/s3/awssdkauth.go

diff --git a/tempodb/backend/s3/awssdkauth.go b/tempodb/backend/s3/awssdkauth.go
new file mode 100644
index 00000000000..9e7b488110f
--- /dev/null
+++ b/tempodb/backend/s3/awssdkauth.go
@@ -0,0 +1,40 @@
+package s3
+
+import (
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/defaults"
+	mcreds "github.com/minio/minio-go/v7/pkg/credentials"
+	"github.com/pkg/errors"
+)
+
+func NewAWSSDKAuth(region string) *AWSSDKAuth {
+	dc := defaults.Config().WithRegion(region)
+	creds := defaults.CredChain(dc, defaults.Handlers())
+	return &AWSSDKAuth{
+		creds: creds,
+	}
+}
+
+// AWSSDKAuth retrieves credentials from the aws-sdk-go.
+type AWSSDKAuth struct {
+	creds *credentials.Credentials
+}
+
+// Retrieve retrieves the keys from the environment.
+func (a *AWSSDKAuth) Retrieve() (mcreds.Value, error) {
+	val, err := a.creds.Get()
+	if err != nil {
+		return mcreds.Value{}, errors.Wrap(err, "retrieve AWS SDK credentials")
+	}
+	return mcreds.Value{
+		AccessKeyID:     val.AccessKeyID,
+		SecretAccessKey: val.SecretAccessKey,
+		SessionToken:    val.SessionToken,
+		SignerType:      mcreds.SignatureV4,
+	}, nil
+}
+
+// IsExpired returns if the credentials have been retrieved.
+func (a *AWSSDKAuth) IsExpired() bool {
+	return a.creds.IsExpired()
+}
diff --git a/tempodb/backend/s3/s3.go b/tempodb/backend/s3/s3.go
index 4e1143de71d..d1211c190db 100644
--- a/tempodb/backend/s3/s3.go
+++ b/tempodb/backend/s3/s3.go
@@ -356,6 +356,7 @@ func createCore(cfg *Config, hedge bool) (*minio.Core, error) {
 	}
 
 	creds := credentials.NewChainCredentials([]credentials.Provider{
+		wrapCredentialsProvider(NewAWSSDKAuth(cfg.Region)),
 		wrapCredentialsProvider(&credentials.EnvAWS{}),
 		wrapCredentialsProvider(&credentials.Static{
 			Value: credentials.Value{