TrueCloudLab/rclone
16
0
Fork 2
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

s3: use aws web identity role provider

Browse source
This commit is contained in:
Tennix 2020-01-06 03:49:31 +08:00 committed by Nick Craig-Wood
parent 9d993e584b
commit 15d19131bd
2 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
backend/s3/s3.go
View file

@ -37,6 +37,7 @@ import (
"github.com/aws/aws-sdk-go/aws/corehandlers"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/defaults"
"github.com/aws/aws-sdk-go/aws/ec2metadata"
"github.com/aws/aws-sdk-go/aws/request"
@ -1009,6 +1010,11 @@ func s3Connection(opt *Options) (*s3.S3, *session.Session, error) {
}),
ExpiryWindow: 3 * time.Minute,
},
// Pick up IAM role if we are in EKS
&stscreds.WebIdentityRoleProvider{
ExpiryWindow: 3 * time.Minute,
},
}
cred := credentials.NewChainCredentials(providers)

1
docs/content/s3.md
View file

@ -358,6 +358,7 @@ The different authentication methods are tried in this order:
- `AWS_PROFILE` to control which profile to use.
- Or, run `rclone` in an ECS task with an IAM role (AWS only).
- Or, run `rclone` on an EC2 instance with an IAM role (AWS only).
- Or, run `rclone` in an EKS pod with an IAM role that is associated with a service account (AWS only).
If none of these option actually end up providing `rclone` with AWS
credentials then S3 interaction will be non-authenticated (see below).