Add s3 credential support (#1606)

Author: eandre

Cargo.lock

@@ -384,8 +384,10 @@ func (c *legacyConverter) Convert() (*config.Runtime, error) {
 				switch prov := cluster.Provider.(type) {
 				case *runtimev1.BucketCluster_S3_:
 					p.S3 = &config.S3BucketProvider{
-						Region:   prov.S3.GetRegion(),
-						Endpoint: prov.S3.Endpoint,
+						Region:          prov.S3.GetRegion(),
+						Endpoint:        prov.S3.Endpoint,
+						AccessKeyID:     prov.S3.AccessKeyId,
+						SecretAccessKey: ptrOrNil(c.secretString(prov.S3.SecretAccessKey)),
 					}
 				case *runtimev1.BucketCluster_Gcs:
 					p.GCS = &config.GCSBucketProvider{
@@ -640,6 +642,14 @@ func ptr[T comparable](val T) *T {
 	return &val
 }
 
+func ptrOrNil[T comparable](val T) *T {
+	var zero T
+	if val == zero {
+		return nil
+	}
+	return &val
+}
+
 func randomMapValue[K comparable, V any](m map[K]V) (V, bool) {
 	for _, v := range m {
 		return v, true

pkg/rtconfgen/convert.go

@@ -323,6 +323,11 @@ message BucketCluster {
 
     // Endpoint override, if any. Must be specified if using a non-standard AWS region.
     optional string endpoint = 2;
+
+    // Set these to use explicit credentials for this bucket,
+    // as opposed to resolving using AWS's default credential chain.
+    optional string access_key_id = 3;
+    optional SecretData secret_access_key = 4;
   }
 
   message GCS {

proto/encore/runtime/v1/infra.pb.go

@@ -93,6 +93,7 @@ md5 = "0.7.0"
 aws-sdk-s3 = "1.58.0"
 aws-smithy-types = { version = "1.2.8", features = ["byte-stream-poll-next", "rt-tokio"] }
 percent-encoding = "2.3.1"
+aws-credential-types = "1.2.1"
 
 [build-dependencies]
 prost-build = "0.12.3"

proto/encore/runtime/v1/infra.proto

@@ -46,6 +46,8 @@ pub struct GCS {
 pub struct S3 {
     pub region: String,
     pub endpoint: Option<String>,
+    pub access_key_id: Option<String>,
+    pub secret_access_key: Option<EnvString>,
     pub buckets: HashMap<String, Bucket>,
 }
 
@@ -461,6 +463,11 @@ pub fn map_infra_to_runtime(infra: InfraConfig) -> RuntimeConfig {
                         pbruntime::bucket_cluster::S3 {
                             region: s3.region,
                             endpoint: s3.endpoint,
+                            access_key_id: s3.access_key_id,
+                            secret_access_key: s3
+                                .secret_access_key
+                                .as_ref()
+                                .map(map_env_string_to_secret_data),
                         },
                     )),
                     buckets: s3

runtimes/core/Cargo.toml

@@ -331,7 +331,8 @@ impl Runtime {
             .context("failed to resolve gateway push subscriptions")?;
 
         let pubsub = pubsub::Manager::new(tracer.clone(), resources.pubsub_clusters, &md)?;
-        let objects = objects::Manager::new(tracer.clone(), resources.bucket_clusters, &md);
+        let objects =
+            objects::Manager::new(&secrets, tracer.clone(), resources.bucket_clusters, &md);
         let sqldb = sqldb::ManagerConfig {
             clusters: resources.sql_clusters,
             creds: &creds,

runtimes/core/src/infracfg.rs

@@ -363,7 +363,7 @@ impl objects::ObjectImpl for Object {
             return Err(PublicUrlError::PrivateBucket);
         };
 
-        let url = objects::public_url(base_url, self.bkt.key_prefix.as_deref(), &self.key);
+        let url = objects::public_url(base_url, &self.key);
         Ok(url)
     }
 }

runtimes/core/src/lib.rs

@@ -5,6 +5,7 @@ use crate::encore::parser::meta::v1 as meta;
 use crate::encore::runtime::v1 as pb;
 use crate::names::EncoreName;
 use crate::objects::{gcs, noop, s3, BucketImpl, ClusterImpl};
+use crate::secrets;
 use crate::trace::Tracer;
 
 use super::Bucket;
@@ -17,8 +18,13 @@ pub struct Manager {
 }
 
 impl Manager {
-    pub fn new(tracer: Tracer, clusters: Vec<pb::BucketCluster>, md: &meta::Data) -> Self {
-        let bucket_cfg = make_cfg_maps(clusters, md);
+    pub fn new(
+        secrets: &secrets::Manager,
+        tracer: Tracer,
+        clusters: Vec<pb::BucketCluster>,
+        md: &meta::Data,
+    ) -> Self {
+        let bucket_cfg = make_cfg_maps(secrets, clusters, md);
 
         Self {
             tracer,
@@ -54,13 +60,20 @@ impl Manager {
 }
 
 fn make_cfg_maps(
+    secrets: &secrets::Manager,
     clusters: Vec<pb::BucketCluster>,
     _md: &meta::Data,
 ) -> HashMap<EncoreName, (Arc<dyn ClusterImpl>, pb::Bucket)> {
     let mut bucket_map = HashMap::new();
 
     for cluster_cfg in clusters {
-        let cluster = new_cluster(&cluster_cfg);
+        let cluster = match cluster_cfg.provider {
+            Some(provider) => new_cluster(secrets, provider),
+            None => {
+                log::error!("missing bucket cluster provider: {}", cluster_cfg.rid);
+                Arc::new(noop::Cluster)
+            }
+        };
 
         for bucket_cfg in cluster_cfg.buckets {
             bucket_map.insert(
@@ -73,14 +86,18 @@ fn make_cfg_maps(
     bucket_map
 }
 
-fn new_cluster(cluster: &pb::BucketCluster) -> Arc<dyn ClusterImpl> {
-    let Some(provider) = &cluster.provider else {
-        log::error!("missing bucket cluster provider: {}", cluster.rid);
-        return Arc::new(noop::Cluster);
-    };
-
+fn new_cluster(
+    secrets: &secrets::Manager,
+    provider: pb::bucket_cluster::Provider,
+) -> Arc<dyn ClusterImpl> {
     match provider {
-        pb::bucket_cluster::Provider::S3(s3cfg) => Arc::new(s3::Cluster::new(s3cfg)),
+        pb::bucket_cluster::Provider::S3(s3cfg) => {
+            let secret_access_key = s3cfg
+                .secret_access_key
+                .as_ref()
+                .map(|k| secrets.load(k.clone()));
+            Arc::new(s3::Cluster::new(s3cfg, secret_access_key))
+        }
         pb::bucket_cluster::Provider::Gcs(gcscfg) => Arc::new(gcs::Cluster::new(gcscfg.clone())),
     }
 }

runtimes/core/src/objects/gcs/bucket.rs

@@ -493,16 +493,13 @@ fn escape_path(s: &str) -> Cow<'_, str> {
     percent_encoding::percent_encode(s.as_bytes(), PATH).into()
 }
 
-/// Computes the public url given a base url, optional key prefix, and object name.
-fn public_url(base_url: String, key_prefix: Option<&str>, name: &str) -> String {
+/// Computes the public url given a base url and object name.
+fn public_url(base_url: String, name: &str) -> String {
     let mut url = base_url;
 
     if !url.ends_with('/') {
         url.push('/');
     }
-    if let Some(key_prefix) = key_prefix {
-        url.push_str(&escape_path(key_prefix));
-    }
     url.push_str(&escape_path(name));
     url
 }

runtimes/core/src/objects/manager.rs

@@ -375,7 +375,7 @@ impl objects::ObjectImpl for Object {
             return Err(PublicUrlError::PrivateBucket);
         };
 
-        let url = objects::public_url(base_url, self.bkt.key_prefix.as_deref(), &self.name);
+        let url = objects::public_url(base_url, &self.name);
         Ok(url)
     }
 }

runtimes/core/src/objects/mod.rs

@@ -3,6 +3,7 @@ use std::sync::Arc;
 use crate::encore::runtime::v1 as pb;
 use crate::objects;
 use crate::objects::s3::bucket::Bucket;
+use crate::secrets::Secret;
 use aws_sdk_s3 as s3;
 
 mod bucket;
@@ -13,8 +14,8 @@ pub struct Cluster {
 }
 
 impl Cluster {
-    pub fn new(cfg: &pb::bucket_cluster::S3) -> Self {
-        let client = Arc::new(LazyS3Client::new(cfg.clone()));
+    pub fn new(cfg: pb::bucket_cluster::S3, secret_access_key: Option<Secret>) -> Self {
+        let client = Arc::new(LazyS3Client::new(cfg, secret_access_key));
         Self { client }
     }
 }
@@ -27,6 +28,7 @@ impl objects::ClusterImpl for Cluster {
 
 struct LazyS3Client {
     cfg: pb::bucket_cluster::S3,
+    secret_access_key: Option<Secret>,
     cell: tokio::sync::OnceCell<Arc<s3::Client>>,
 }
 
@@ -37,9 +39,10 @@ impl std::fmt::Debug for LazyS3Client {
 }
 
 impl LazyS3Client {
-    fn new(cfg: pb::bucket_cluster::S3) -> Self {
+    fn new(cfg: pb::bucket_cluster::S3, secret_access_key: Option<Secret>) -> Self {
         Self {
             cfg,
+            secret_access_key,
             cell: tokio::sync::OnceCell::new(),
         }
     }
@@ -54,6 +57,26 @@ impl LazyS3Client {
                     builder = builder.endpoint_url(endpoint.clone());
                 }
 
+                if let (Some(access_key_id), Some(secret_access_key)) = (
+                    self.cfg.access_key_id.as_ref(),
+                    self.secret_access_key.as_ref(),
+                ) {
+                    use aws_credential_types::Credentials;
+                    let secret_access_key = secret_access_key
+                        .get()
+                        .expect("unable to resolve s3 secret access key");
+                    let secret_access_key = std::str::from_utf8(secret_access_key)
+                        .expect("unable to parse s3 secret access key as utf-8");
+
+                    builder = builder.credentials_provider(Credentials::new(
+                        access_key_id,
+                        secret_access_key,
+                        None,
+                        None,
+                        "encore-runtime",
+                    ));
+                }
+
                 let cfg = builder.load().await;
                 Arc::new(s3::Client::new(&cfg))
             })

runtimes/core/src/objects/s3/bucket.rs

@@ -406,6 +406,10 @@ type S3BucketProvider struct {
 	// The endpoint to use. If nil, the default endpoint for the region is used.
 	// Must be set for non-AWS endpoints.
 	Endpoint *string `json:"endpoint"`
+
+	// The access key to use. If either is nil, the default credentials are used.
+	AccessKeyID     *string `json:"access_key_id"`
+	SecretAccessKey *string `json:"secret_access_key"`
 }
 
 type GCSBucketProvider struct {

runtimes/core/src/objects/s3/mod.rs

@@ -132,13 +132,20 @@ func (p *ObjectStorage) UnmarshalJSON(data []byte) error {
 }
 
 type S3 struct {
-	Region   string             `json:"region"`
-	Endpoint string             `json:"endpoint,omitempty"`
-	Buckets  map[string]*Bucket `json:"buckets,omitempty"`
+	Region   string `json:"region"`
+	Endpoint string `json:"endpoint,omitempty"`
+
+	AccessKeyID     string    `json:"access_key_id,omitempty"`
+	SecretAccessKey EnvString `json:"secret_access_key,omitempty"`
+
+	Buckets map[string]*Bucket `json:"buckets,omitempty"`
 }
 
 func (a *S3) Validate(v *validator) {
 	v.ValidateField("region", NotZero(a.Region))
+	if a.AccessKeyID != "" {
+		v.ValidatePtrEnvRef("secret_access_key", &a.SecretAccessKey, "S3 Secret Access Key", NotZero[string])
+	}
 	ValidateChildMap(v, "buckets", a.Buckets)
 }
 

runtimes/go/appruntime/exported/config/config.go

@@ -376,8 +376,10 @@ func parseInfraConfigEnv(infraCfgPath string) *Runtime {
 		case "s3":
 			cfg.BucketProviders[i] = &BucketProvider{
 				S3: &S3BucketProvider{
-					Region:   storage.S3.Region,
-					Endpoint: nilOr(storage.S3.Endpoint),
+					Region:          storage.S3.Region,
+					Endpoint:        nilOr(storage.S3.Endpoint),
+					AccessKeyID:     nilOr(storage.S3.AccessKeyID),
+					SecretAccessKey: nilOr(storage.S3.SecretAccessKey.Value()),
 				},
 			}
 		}

runtimes/go/appruntime/exported/config/infra/config.go

@@ -143,11 +143,6 @@ func (b *Bucket) PublicURL(object string, options ...PublicURLOption) *url.URL {
 	if !strings.HasSuffix(u.Path, "/") {
 		u.Path += "/"
 	}
-
-	if b.runtimeCfg.KeyPrefix != "" {
-		u.Path += escape(b.runtimeCfg.KeyPrefix, encodePath)
-	}
-
 	u.Path += escape(object, encodePath)
 
 	return &u

runtimes/go/appruntime/exported/config/parse.go

@@ -10,6 +10,7 @@ import (
 	"cloud.google.com/go/storage"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awsConfig "github.com/aws/aws-sdk-go-v2/config"
+	awsCreds "github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/aws/smithy-go"
@@ -23,8 +24,8 @@ type Manager struct {
 	runtime *config.Runtime
 	clients map[*config.BucketProvider]*s3.Client
 
-	cfgOnce sync.Once
-	awsCfg  aws.Config
+	cfgOnce          sync.Once
+	awsDefaultConfig aws.Config
 }
 
 func NewManager(ctx context.Context, runtime *config.Runtime) *Manager {
@@ -155,7 +156,20 @@ func (mgr *Manager) clientForProvider(prov *config.BucketProvider) *s3.Client {
 		return client
 	}
 
-	cfg := mgr.getConfig()
+	// If we have a custom access key and secret, use them instead of the default config.
+	var cfg aws.Config
+	if prov.S3.AccessKeyID != nil && prov.S3.SecretAccessKey != nil {
+		var err error
+		cfg, err = awsConfig.LoadDefaultConfig(context.Background(),
+			awsConfig.WithCredentialsProvider(awsCreds.NewStaticCredentialsProvider(*prov.S3.AccessKeyID, *prov.S3.SecretAccessKey, "")),
+		)
+		if err != nil {
+			panic(fmt.Sprintf("unable to load AWS config: %v", err))
+		}
+	} else {
+		cfg = mgr.defaultConfig()
+	}
+
 	client := s3.New(s3.Options{
 		Region:       prov.S3.Region,
 		BaseEndpoint: prov.S3.Endpoint,
@@ -166,17 +180,16 @@ func (mgr *Manager) clientForProvider(prov *config.BucketProvider) *s3.Client {
 	return client
 }
 
-// getConfig loads the required AWS config to connect to AWS
-func (mgr *Manager) getConfig() aws.Config {
+// defaultConfig loads the required AWS config to connect to AWS
+func (mgr *Manager) defaultConfig() aws.Config {
 	mgr.cfgOnce.Do(func() {
 		cfg, err := awsConfig.LoadDefaultConfig(context.Background())
 		if err != nil {
 			panic(fmt.Sprintf("unable to load AWS config: %v", err))
 		}
-		mgr.awsCfg = cfg
-
+		mgr.awsDefaultConfig = cfg
 	})
-	return mgr.awsCfg
+	return mgr.awsDefaultConfig
 }
 
 func mapErr(err error) error {