add keys in file node configuration to provide S3 credentials

for self-hosted use cases, users might use an S3-compatible service like MinIO. This service requires authentication using access keys however it does not really make sense for users to create an AWS configuration on the machine since there is no AWS account involved. Moreover, for using MinIO, path style is mandatory unless users setup some kind of DNS resolution for their buckets. I think it is best to avoid this complication and simply force the path style with the related option in the AWS SDK.
anyproto · Aug 5, 2023 · e945148 · e945148
1 parent ef9c09c
commit e945148
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 10 deletions.
diff --git a/store/s3store/config.go b/store/s3store/config.go
@@ -4,10 +4,17 @@ type configSource interface {
 	GetS3Store() Config
 }
 
+type Credentials struct {
+	AccessKey string `yaml:"accessKey"`
+	SecretKey string `yaml:"secretKey"`
+}
+
 type Config struct {
-	Profile    string `yaml:"profile"`
-	Region     string `yaml:"region"`
-	Bucket     string `yaml:"bucket"`
-	Endpoint   string `yaml:"endpoint"`
-	MaxThreads int    `yaml:"maxThreads"`
+	Profile        string      `yaml:"profile"`
+	Region         string      `yaml:"region"`
+	Bucket         string      `yaml:"bucket"`
+	Endpoint       string      `yaml:"endpoint"`
+	MaxThreads     int         `yaml:"maxThreads"`
+	Credentials    Credentials `yaml:"credentials"`
+	ForcePathStyle bool        `yaml:"forcePathStyle"`
 }
diff --git a/store/s3store/s3store.go b/store/s3store/s3store.go
@@ -4,19 +4,21 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"io"
+	"sync"
+	"time"
+
 	"github.com/anyproto/any-sync-filenode/store"
 	"github.com/anyproto/any-sync/app"
 	"github.com/anyproto/any-sync/app/logger"
 	"github.com/anyproto/any-sync/commonfile/fileblockstore"
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/s3"
 	blocks "github.com/ipfs/go-block-format"
 	"github.com/ipfs/go-cid"
 	"go.uber.org/zap"
-	"io"
-	"sync"
-	"time"
 )
 
 const CName = fileblockstore.CName
@@ -54,13 +56,30 @@ func (s *s3store) Init(a *app.App) (err error) {
 	if conf.Endpoint != "" {
 		endpoint = aws.String(conf.Endpoint)
 	}
+
+	var creds *credentials.Credentials = nil
+	// If creds are provided in the configuration, they are directly forwarded to the client as static credentials.
+	// This is mainly used for self-hosted scenarii where users store the data in a S3-compatible object store. In that
+	// case it does not really make sense to create an AWS configuration since there is no related AWS account.
+	// If credentials are not provided in the config however, the AWS credentials are determined by the SDK.
+	if conf.Credentials.AccessKey != "" && conf.Credentials.SecretKey != "" {
+		creds = credentials.NewStaticCredentials(conf.Credentials.AccessKey, conf.Credentials.SecretKey, "")
+	}
+
 	s.sess, err = session.NewSessionWithOptions(session.Options{
 		Profile: conf.Profile,
 		Config: aws.Config{
-			Region:   aws.String(conf.Region),
-			Endpoint: endpoint,
+			Region:      aws.String(conf.Region),
+			Endpoint:    endpoint,
+			Credentials: creds,
+			// By default S3 client uses virtual hosted bucket addressing when possible but this cannot work
+			// for self-hosted. We can switch to path style instead with a configuration flag.
+			S3ForcePathStyle: aws.Bool(conf.ForcePathStyle),
 		},
 	})
+	if err != nil {
+		return fmt.Errorf("failed to create session to s3: %v", err)
+	}
 	s.bucket = aws.String(conf.Bucket)
 	s.client = s3.New(s.sess)
 	s.limiter = make(chan struct{}, conf.MaxThreads)