s3: use aws web identity role provider

This commit is contained in:
Tennix 2020-01-06 03:49:31 +08:00 committed by Nick Craig-Wood
parent 9d993e584b
commit 15d19131bd
2 changed files with 9 additions and 2 deletions

View file

@ -37,6 +37,7 @@ import (
"github.com/aws/aws-sdk-go/aws/corehandlers"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/defaults"
"github.com/aws/aws-sdk-go/aws/ec2metadata"
"github.com/aws/aws-sdk-go/aws/request"
@ -1009,6 +1010,11 @@ func s3Connection(opt *Options) (*s3.S3, *session.Session, error) {
}),
ExpiryWindow: 3 * time.Minute,
},
// Pick up IAM role if we are in EKS
&stscreds.WebIdentityRoleProvider{
ExpiryWindow: 3 * time.Minute,
},
}
cred := credentials.NewChainCredentials(providers)

View file

@ -270,8 +270,8 @@ The modified time is stored as metadata on the object as
`X-Amz-Meta-Mtime` as floating point since the epoch accurate to 1 ns.
If the modification time needs to be updated rclone will attempt to perform a server
side copy to update the modification if the object can be copied in a single part.
In the case the object is larger than 5Gb or is in Glacier or Glacier Deep Archive
side copy to update the modification if the object can be copied in a single part.
In the case the object is larger than 5Gb or is in Glacier or Glacier Deep Archive
storage the object will be uploaded rather than copied.
#### Restricted filename characters
@ -358,6 +358,7 @@ The different authentication methods are tried in this order:
- `AWS_PROFILE` to control which profile to use.
- Or, run `rclone` in an ECS task with an IAM role (AWS only).
- Or, run `rclone` on an EC2 instance with an IAM role (AWS only).
- Or, run `rclone` in an EKS pod with an IAM role that is associated with a service account (AWS only).
If none of these option actually end up providing `rclone` with AWS
credentials then S3 interaction will be non-authenticated (see below).