Add payload hash func and default host var; Move fetching credentials func to sig lib #126
Conversation
…edentials and debug - Move reusable functions of fectching credentials into awscredentials.js - Replace name of env variables of AWS credentials and debug to support common AWS signature lib for multiple services in AWS - Add a NJS var of default host name to be used for Role Session Name at multiple services in AWS - Add a payload hash function to support multiple services in AWS such as S3 and Lambda, and it can be used for not only GET but also POST method.
There was a problem hiding this comment.
Hi @shawnhankim thank you for the solid contribution. My apologies for the delay on the review. This all looks good and I had only a few comments/suggestions.
| @@ -34,24 +68,26 @@ function sessionToken(r) { | |||
| } | |||
|
|
|||
| /** | |||
| * Get the instance profile credentials needed to authenticated against S3 from | |||
| * Get the instance profile credentials needed to authenticate against S3 from | |||
| * a backend cache. If the credentials cannot be found, then return undefined. | |||
| * @param r {Request} HTTP request object (not used, but required for NGINX configuration) | |||
| * @returns {undefined|{accessKeyId: (string), secretAccessKey: (string), sessionToken: (string|null), expiration: (string|null)}} AWS instance profile credentials or undefined | |||
| */ | |||
| function readCredentials(r) { | |||
| // TODO: Change the generic constants naming for multiple AWS services. | |||
There was a problem hiding this comment.
This TODO comment can be removed because this PR does what is mentioned.
There was a problem hiding this comment.
Thanks for finding this. Addressed!
| @@ -34,7 +34,7 @@ required=("S3_BUCKET_NAME" "S3_SERVER" "S3_SERVER_PORT" "S3_SERVER_PROTO" | |||
| if [[ -v AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ]]; then | |||
| echo "Running inside an ECS task, using container credentials" | |||
|
|
|||
There was a problem hiding this comment.
Add a section to this script that detects the presence of S3_ environment variables, emits warnings that they are deprecated, and assigns those environment variables to the appropriate AWS_ environment variables.
There was a problem hiding this comment.
It is a great point. Thanks! Addressed. Let me know if you have any additional comments.
| @@ -23,6 +24,7 @@ js_var $indexIsEmpty true; | |||
| js_set $s3auth s3gateway.s3auth; | |||
| js_set $awsSessionToken awscredentials.sessionToken; | |||
| js_set $s3uri s3gateway.s3uri; | |||
| js_var $defaultHostName 'nginx-s3-gateway'; | |||
There was a problem hiding this comment.
What's the purpose of setting this variable?
There was a problem hiding this comment.
This is the purpose of option 2 in this link: #126 (comment)
There was a problem hiding this comment.
I have removed this variable, and you could find my answer in the #126 (comment).
| */ | ||
| async function _fetchWebIdentityCredentials(r) { | ||
| const arn = process.env['AWS_ROLE_ARN']; | ||
| const name = process.env['HOSTNAME'] || 'nginx-s3-gateway'; |
There was a problem hiding this comment.
How is the hardcoded value nginx-s3-gateway being used? It would be useful to have a comment about it.
There was a problem hiding this comment.
-
This is the existing hardcoded value in this repo's codebase. Looks like it is used as a default Role Session Name (
nginx-s3-gateway) in caseHOSTNAMEis missed. -
As we are moving this function into the common library(
awscredentials.js), we can consider one of the following options.- option 1. remove this default value (
nginx-s3-gateway) so customers must define the env var (HOSTNAME). - option 2. replace this value with other variable (e.g.
$defaultHostName). - option 3. any other suggestion?
- FYI:
- https://github.com/nginxinc/nginx-s3-gateway/pull/126/files#r1190281902
- https://github.com/shawnhankim/nginx-s3-gateway/blob/awssig-env/common/etc/nginx/include/awscredentials.js#L373
- https://github.com/shawnhankim/nginx-s3-gateway/blob/awssig-env/common/etc/nginx/templates/default.conf.template#L27
- option 1. remove this default value (
I was wondering what would be your suggestion.
There was a problem hiding this comment.
- I have removed this hardcoded value in this NJS code, because this NJS can be used for not only S3 but also other services such as Lambda.
- I have set this default value in the https://github.com/shawnhankim/nginx-s3-gateway/blob/awssig-env/common/docker-entrypoint.d/00-check-for-required-env.sh#L58 as the following example instead:
elif [[ -v AWS_WEB_IDENTITY_TOKEN_FILE ]]; then echo "Running inside EKS with IAM roles for service accounts" if [[ ! -v HOSTNAME ]]; then # This environment value is used for Role Session Name. The default value is # set as a nginx-s3-gateway unless the value is defined. HOSTNAME="nginx-s3-gateway" fi
- Let me know if you have other suggestion, or if you agree with this approach.
There was a problem hiding this comment.
This approach is I believe is the best we can do. I was considering modifying the startup scripts such that if the environment variable HOSTNAME is not set that script would run hostname and then set HOSTNAME to the value returned.
That said, I'm a bit confused about the above comment that indicates that HOSTNAME maps to the "Role Session Name" because both of those concepts do not seem the same.
There was a problem hiding this comment.
- Thanks for your opinion and original intent.
- Yeah, I was also confused about the comment and variable. So I have replaced
HOSTNAMEwithAWS_ROLE_SESSION_NAMEand added the depreciation message of the variable ofHOSTNAME.
- Set nginx-s3-gateway as a default value when HOSTNAME isn't set if AWS_WEB_IDENTITY_TOKEN_FILE is defined - Change depreciation message and terminate the bootstrap when credentials and debug variables are set with the prefix of 'S3_' fix: comment
To enhance common AWS sig & credentials lib for services in AWS.
Description:
awscredentials.jsMisc.: