From 8ee6c6b3e73546b93da89aeb092a3a4985a28f8b Mon Sep 17 00:00:00 2001 From: Pietro Albini Date: Thu, 1 Aug 2019 18:20:38 +0200 Subject: [PATCH] allow authenticating to AWS with the EC2 instance role This changes the credentials provider used to fetch the AWS credentials from EnvironmentProvider (which just looked at environment variables) to DefaultCredentialsProvider, which looks at: 1. Environment variables 2. ~/.aws/credentials 3. EC2 instance roles The old behavior is preserved when the environment variable is present, but this will also allow using EC2 instance roles which are going to be implemented on the production server. A new FORCE_S3 environment variable was also added. --- src/db/file.rs | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/db/file.rs b/src/db/file.rs index f74bcb90e..8e32c3970 100644 --- a/src/db/file.rs +++ b/src/db/file.rs @@ -14,7 +14,7 @@ use error::Result; use failure::err_msg; use rusoto_s3::{S3, PutObjectRequest, GetObjectRequest, S3Client}; use rusoto_core::region::Region; -use rusoto_credential::EnvironmentProvider; +use rusoto_credential::DefaultCredentialsProvider; fn get_file_list_from_dir>(path: P, @@ -115,12 +115,19 @@ pub fn get_path(conn: &Connection, path: &str) -> Option { fn s3_client() -> Option { // If AWS keys aren't configured, then presume we should use the DB exclusively // for file storage. - if std::env::var_os("AWS_ACCESS_KEY_ID").is_none() { + if std::env::var_os("AWS_ACCESS_KEY_ID").is_none() && std::env::var_os("FORCE_S3").is_none() { return None; } + let creds = match DefaultCredentialsProvider::new() { + Ok(creds) => creds, + Err(err) => { + warn!("failed to retrieve AWS credentials: {}", err); + return None; + } + }; Some(S3Client::new_with( rusoto_core::request::HttpClient::new().unwrap(), - EnvironmentProvider::default(), + creds, std::env::var("S3_ENDPOINT").ok().map(|e| Region::Custom { name: "us-west-1".to_owned(), endpoint: e,