Skip to content

Commit

Permalink
Only use anon credentials for public s3 buckets (#187)
Browse files Browse the repository at this point in the history
* Only use anon credentials for public s3 buckets

Fixes #188
  • Loading branch information
cmckeen authored Oct 1, 2021
1 parent 6ac4c7a commit 080c2e5
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Nothing.

## [1.2.2] - 2021-10-01

- [#188](https://github.com/meltwater/drone-cache/pull/188) v1.2.0 breaks EC2 IAM role bucket access

## [1.2.1] - 2021-09-30

### Added
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,7 @@ GLOBAL OPTIONS:
--path-style AWS path style to use for bucket paths. (true for minio, false for aws) (default: false) [$PLUGIN_PATH_STYLE, $AWS_PLUGIN_PATH_STYLE]
--acl value upload files with acl (private, public-read, ...) (default: "private") [$PLUGIN_ACL, $AWS_ACL]
--encryption value server-side encryption algorithm, defaults to none. (AES256, aws:kms) [$PLUGIN_ENCRYPTION, $AWS_ENCRYPTION]
--s3-bucket-public value Set to use anonymous credentials with public S3 bucket [$PLUGIN_S3_BUCKET_PUBLIC, $S3_BUCKET_PUBLIC]
--sts-endpoint value Custom STS endpoint for IAM role assumption [$PLUGIN_STS_ENDPOINT, $AWS_STS_ENDPOINT]
--role-arn value AWS IAM role ARN to assume [$PLUGIN_ASSUME_ROLE_ARN, $AWS_ASSUME_ROLE_ARN]
--gcs.api-key value Google service account API key [$PLUGIN_API_KEY, $GCP_API_KEY]
Expand Down
6 changes: 6 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,11 @@ func main() {
Usage: "server-side encryption algorithm, defaults to none. (AES256, aws:kms)",
EnvVars: []string{"PLUGIN_ENCRYPTION", "AWS_ENCRYPTION"},
},
&cli.StringFlag{
Name: "s3-bucket-public",
Usage: "Set to use anonymous credentials with public S3 bucket",
EnvVars: []string{"PLUGIN_S3_BUCKET_PUBLIC", "S3_BUCKET_PUBLIC"},
},
&cli.StringFlag{
Name: "sts-endpoint",
Usage: "Custom STS endpoint for IAM role assumption",
Expand Down Expand Up @@ -546,6 +551,7 @@ func run(c *cli.Context) error {
Endpoint: c.String("endpoint"),
Key: c.String("access-key"),
PathStyle: c.Bool("path-style"),
Public: c.Bool("s3-bucket-public"),
Region: c.String("region"),
Secret: c.String("secret-key"),
StsEndpoint: c.String("sts-endpoint"),
Expand Down
1 change: 1 addition & 0 deletions storage/backend/s3/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,5 @@ type Config struct {
Secret string

PathStyle bool // Use path style instead of domain style. Should be true for minio and false for AWS.
Public bool
}
6 changes: 5 additions & 1 deletion storage/backend/s3/s3.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,11 @@ func New(l log.Logger, c Config, debug bool) (*Backend, error) {
Endpoint: &c.Endpoint,
DisableSSL: aws.Bool(!strings.HasPrefix(c.Endpoint, "https://")),
S3ForcePathStyle: aws.Bool(c.PathStyle),
Credentials: credentials.AnonymousCredentials,
}

// Use anonymous credentials if the S3 bucket is public
if c.Public {
conf.Credentials = credentials.AnonymousCredentials
}

if c.Key != "" && c.Secret != "" {
Expand Down

0 comments on commit 080c2e5

Please sign in to comment.