From fa0a1e7261f5981e5f9734e2fbda38236eeeba40 Mon Sep 17 00:00:00 2001 From: Erik Swanson Date: Tue, 6 Nov 2018 18:50:28 -0800 Subject: [PATCH] s3: fix role_arn, credential_source, ... When the env_auth option is enabled, the AWS SDK's session constructor now loads configuration from ~/.aws/config and environment variables, and credentials per the selected (or default) AWS_PROFILE's settings. This is accomplished by **NOT** including any Credential provider in the aws.Config passed to the session constructor: If the Config.Credentials is non-nil, that will always be used and the user's configuration re role_arn, credential_source, source_profile, etc... from the shared config will be completely ignored. (The conditional creation and configuration of the stscreds Credential provider is complicated enough that it is not worth re-creating that logic.) --- backend/s3/s3.go | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/backend/s3/s3.go b/backend/s3/s3.go index 0c95218a5..788e81017 100644 --- a/backend/s3/s3.go +++ b/backend/s3/s3.go @@ -804,8 +804,21 @@ func s3Connection(opt *Options) (*s3.S3, *session.Session, error) { WithHTTPClient(fshttp.NewClient(fs.Config)). WithS3ForcePathStyle(opt.ForcePathStyle) // awsConfig.WithLogLevel(aws.LogDebugWithSigning) - ses := session.New() - c := s3.New(ses, awsConfig) + awsSessionOpts := session.Options{ + Config: *awsConfig, + } + if opt.EnvAuth && opt.AccessKeyID == "" && opt.SecretAccessKey == "" { + // Enable loading config options from ~/.aws/config (selected by AWS_PROFILE env) + awsSessionOpts.SharedConfigState = session.SharedConfigEnable + // The session constructor (aws/session/mergeConfigSrcs) will only use the user's preferred credential source + // (from the shared config file) if the passed-in Options.Config.Credentials is nil. + awsSessionOpts.Config.Credentials = nil + } + ses, err := session.NewSessionWithOptions(awsSessionOpts) + if err != nil { + return nil, nil, err + } + c := s3.New(ses) if opt.V2Auth || opt.Region == "other-v2-signature" { fs.Debugf(nil, "Using v2 auth") signer := func(req *request.Request) {