diff --git a/backend/s3/s3.go b/backend/s3/s3.go index 5ea0a5a24..6bd950f91 100644 --- a/backend/s3/s3.go +++ b/backend/s3/s3.go @@ -37,6 +37,7 @@ import ( "github.com/aws/aws-sdk-go/aws/corehandlers" "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/defaults" "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/aws/aws-sdk-go/aws/request" @@ -1009,6 +1010,11 @@ func s3Connection(opt *Options) (*s3.S3, *session.Session, error) { }), ExpiryWindow: 3 * time.Minute, }, + + // Pick up IAM role if we are in EKS + &stscreds.WebIdentityRoleProvider{ + ExpiryWindow: 3 * time.Minute, + }, } cred := credentials.NewChainCredentials(providers) diff --git a/docs/content/s3.md b/docs/content/s3.md index 7ffdbed8c..539cf5ce7 100644 --- a/docs/content/s3.md +++ b/docs/content/s3.md @@ -270,8 +270,8 @@ The modified time is stored as metadata on the object as `X-Amz-Meta-Mtime` as floating point since the epoch accurate to 1 ns. If the modification time needs to be updated rclone will attempt to perform a server -side copy to update the modification if the object can be copied in a single part. -In the case the object is larger than 5Gb or is in Glacier or Glacier Deep Archive +side copy to update the modification if the object can be copied in a single part. +In the case the object is larger than 5Gb or is in Glacier or Glacier Deep Archive storage the object will be uploaded rather than copied. #### Restricted filename characters @@ -358,6 +358,7 @@ The different authentication methods are tried in this order: - `AWS_PROFILE` to control which profile to use. - Or, run `rclone` in an ECS task with an IAM role (AWS only). - Or, run `rclone` on an EC2 instance with an IAM role (AWS only). + - Or, run `rclone` in an EKS pod with an IAM role that is associated with a service account (AWS only). If none of these option actually end up providing `rclone` with AWS credentials then S3 interaction will be non-authenticated (see below).