allow authenticating to AWS with the EC2 instance role

This changes the credentials provider used to fetch the AWS credentials from EnvironmentProvider (which just looked at environment variables) to DefaultCredentialsProvider, which looks at: 1. Environment variables 2. ~/.aws/credentials 3. EC2 instance roles The old behavior is preserved when the environment variable is present, but this will also allow using EC2 instance roles which are going to be implemented on the production server. A new FORCE_S3 environment variable was also added.
rust-lang · Aug 1, 2019 · 8ee6c6b · 8ee6c6b
1 parent f01dedd
commit 8ee6c6b
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/src/db/file.rs b/src/db/file.rs
@@ -14,7 +14,7 @@ use error::Result;
 use failure::err_msg;
 use rusoto_s3::{S3, PutObjectRequest, GetObjectRequest, S3Client};
 use rusoto_core::region::Region;
-use rusoto_credential::EnvironmentProvider;
+use rusoto_credential::DefaultCredentialsProvider;
 
 
 fn get_file_list_from_dir<P: AsRef<Path>>(path: P,
@@ -115,12 +115,19 @@ pub fn get_path(conn: &Connection, path: &str) -> Option<Blob> {
 fn s3_client() -> Option<S3Client> {
     // If AWS keys aren't configured, then presume we should use the DB exclusively
     // for file storage.
-    if std::env::var_os("AWS_ACCESS_KEY_ID").is_none() {
+    if std::env::var_os("AWS_ACCESS_KEY_ID").is_none() && std::env::var_os("FORCE_S3").is_none() {
         return None;
     }
+    let creds = match DefaultCredentialsProvider::new() {
+        Ok(creds) => creds,
+        Err(err) => {
+            warn!("failed to retrieve AWS credentials: {}", err);
+            return None;
+        }
+    };
     Some(S3Client::new_with(
         rusoto_core::request::HttpClient::new().unwrap(),
-        EnvironmentProvider::default(),
+        creds,
         std::env::var("S3_ENDPOINT").ok().map(|e| Region::Custom {
             name: "us-west-1".to_owned(),
             endpoint: e,