add support for AWS AssumeRole with web identity file with tiering

This mainly allows - Operator STS https://github.com/minio/operator/blob/master/docs/STS.md - AWS WebIdentityToken file approach used in EKS clusters https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html
minio · Nov 22, 2023 · 1a10829 · 1a10829
1 parent cd338c9
commit 1a10829
Show file tree

Hide file tree

Showing 2 changed files with 150 additions and 14 deletions.
diff --git a/tier-s3.go b/tier-s3.go
@@ -1,5 +1,5 @@
 //
-// Copyright (c) 2015-2022 MinIO, Inc.
+// Copyright (c) 2015-2023 MinIO, Inc.
 //
 // This file is part of MinIO Object Storage stack
 //
@@ -23,14 +23,18 @@ package madmin
 
 // TierS3 represents the remote tier configuration for AWS S3 compatible backend.
 type TierS3 struct {
-	Endpoint     string `json:",omitempty"`
-	AccessKey    string `json:",omitempty"`
-	SecretKey    string `json:",omitempty"`
-	Bucket       string `json:",omitempty"`
-	Prefix       string `json:",omitempty"`
-	Region       string `json:",omitempty"`
-	StorageClass string `json:",omitempty"`
-	AWSRole      bool   `json:",omitempty"`
+	Endpoint                    string `json:",omitempty"`
+	AccessKey                   string `json:",omitempty"`
+	SecretKey                   string `json:",omitempty"`
+	Bucket                      string `json:",omitempty"`
+	Prefix                      string `json:",omitempty"`
+	Region                      string `json:",omitempty"`
+	StorageClass                string `json:",omitempty"`
+	AWSRole                     bool   `json:",omitempty"`
+	AWSRoleWebIdentityTokenFile string `json:",omitempty"`
+	AWSRoleARN                  string `json:",omitempty"`
+	AWSRoleSessionName          string `json:",omitempty"`
+	AWSRoleDurationSeconds      int    `json:",omitempty"`
 }
 
 // S3Options supports NewTierS3 to take variadic options
@@ -76,6 +80,38 @@ func S3AWSRole() func(s3 *TierS3) error {
 	}
 }
 
+// S3AWSRoleWebIdentityTokenFile helper to use optional AWS Role token file to NewTierS3
+func S3AWSRoleWebIdentityTokenFile(tokenFile string) func(s3 *TierS3) error {
+	return func(s3 *TierS3) error {
+		s3.AWSRoleWebIdentityTokenFile = tokenFile
+		return nil
+	}
+}
+
+// S3AWSRoleARN helper to use optional AWS RoleARN to NewTierS3
+func S3AWSRoleARN(roleARN string) func(s3 *TierS3) error {
+	return func(s3 *TierS3) error {
+		s3.AWSRoleARN = roleARN
+		return nil
+	}
+}
+
+// S3AWSRoleSessionName helper to use optional AWS RoleSessionName to NewTierS3
+func S3AWSRoleSessionName(roleSessionName string) func(s3 *TierS3) error {
+	return func(s3 *TierS3) error {
+		s3.AWSRoleSessionName = roleSessionName
+		return nil
+	}
+}
+
+// S3AWSRoleDurationSeconds helper to use optional token duration to NewTierS3
+func S3AWSRoleDurationSeconds(dsecs int) func(s3 *TierS3) error {
+	return func(s3 *TierS3) error {
+		s3.AWSRoleDurationSeconds = dsecs
+		return nil
+	}
+}
+
 // NewTierS3 returns a TierConfig of S3 type. Returns error if the given
 // parameters are invalid like name is empty etc.
 func NewTierS3(name, accessKey, secretKey, bucket string, options ...S3Options) (*TierConfig, error) {

diff --git a/tier-s3_gen.go b/tier-s3_gen.go