s3: change AWS S3 authentication sequence (#732)

* auth sequence reordered. IAM instance profile moved to the end of the list * update storage.md with the new auth sequence.
thanos-io · Jan 14, 2019 · 4e20faf · 4e20faf
1 parent 63c6895
commit 4e20faf
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/docs/storage.md b/docs/storage.md
@@ -63,9 +63,9 @@ For debug purposes you can set `insecure: true` to switch to plain insecure HTTP
 By default Thanos will try to retrieve credentials from the following sources:
 
 1. From config file if BOTH `access_key` and `secret_key` are present.
-1. IAM credentials retrieved from an instance profile.
-1. From `~/.aws/credentials`
 1. From the standard AWS environment variable - `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`
+1. From `~/.aws/credentials`
+1. IAM credentials retrieved from an instance profile.
 
 NOTE: Getting access key from config file and secret key from other method (and vice versa) is not supported. 
 

diff --git a/pkg/objstore/s3/s3.go b/pkg/objstore/s3/s3.go
@@ -105,13 +105,13 @@ func NewBucketWithConfig(logger log.Logger, config Config, component string) (*B
 		}}
 	} else {
 		chain = []credentials.Provider{
+			&credentials.EnvAWS{},
+			&credentials.FileAWSCredentials{},			
 			&credentials.IAM{
 				Client: &http.Client{
 					Transport: http.DefaultTransport,
 				},
 			},
-			&credentials.FileAWSCredentials{},
-			&credentials.EnvAWS{},
 		}
 	}