add session token without IAM policy

fix: doc of getting started with session token
fix: temporary session token
fix: find session token in  the env variables
fix: add S3_SESSION_TOKEN in the docker-entrypoind.d
fix: docs of getting started with session token

fix: check if session token presents

Author: shawnhankim

common/docker-entrypoint.d/00-check-for-required-env.sh

@@ -52,6 +52,10 @@ else
   required+=("S3_ACCESS_KEY_ID" "S3_SECRET_KEY")
 fi
 
+if [[ -v S3_SESSION_TOKEN ]]; then
+  echo "S3 Session token present"
+fi
+
 for name in ${required[@]}; do
   if [[ ! -v name ]]; then
       >&2 echo "Required ${name} environment variable missing"

common/etc/nginx/include/s3gateway.js

@@ -236,11 +236,13 @@ function _writeCredentialsToFile(credentials) {
  * @returns {undefined|{accessKeyId: (string), secretAccessKey: (string), sessionToken: (string|null), expiration: (string|null)}} AWS instance profile credentials or undefined
  */
 function readCredentials(r) {
-    if (process.env['S3_ACCESS_KEY_ID'] && process.env['S3_SECRET_KEY']) {
+    if ('S3_ACCESS_KEY_ID' in process.env && 'S3_SECRET_KEY' in process.env) {
+        const sessionToken = 'S3_SESSION_TOKEN' in process.env ?
+                              process.env['S3_SESSION_TOKEN'] : null;
         return {
             accessKeyId: process.env['S3_ACCESS_KEY_ID'],
             secretAccessKey: process.env['S3_SECRET_KEY'],
-            sessionToken: null,
+            sessionToken: sessionToken,
             expiration: null
         };
     }

common/etc/nginx/nginx.conf

@@ -11,6 +11,7 @@ load_module modules/ngx_http_xslt_filter_module.so;
 # Preserve S3 environment variables for worker threads
 env S3_ACCESS_KEY_ID;
 env S3_SECRET_KEY;
+env S3_SESSION_TOKEN;
 env S3_BUCKET_NAME;
 env S3_SERVER;
 env S3_SERVER_PORT;

docs/getting_started.md

@@ -19,6 +19,7 @@ running as a Container or as a Systemd service.
 | `AWS_SIGS_VERSION`                    | Yes       | 2, 4                         |           | AWS Signatures API version                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | `S3_ACCESS_KEY_ID`                    | Yes       |                              |           | Access key                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | `S3_SECRET_KEY`                       | Yes       |                              |           | Secret access key                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| `S3_SESSION_TOKEN`                       | No        |                              |           | Session token.                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 | `S3_BUCKET_NAME`                      | Yes       |                              |           | Name of S3 bucket to proxy requests to                                                                                                                                                                                                                                                                                                                                                                                                                |
 | `S3_REGION`                           | Yes       |                              |           | Region associated with API                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | `S3_SERVER_PORT`                      | Yes       |                              |           | SSL/TLS port to connect to                                                                                                                                                                                                                                                                                                                                                                                                                            |
@@ -39,7 +40,7 @@ running as a Container or as a Systemd service.
 
 
 If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html),
-you will need to omit the `S3_ACCESS_KEY_ID` and `S3_SECRET_KEY` variables from
+you will need to omit the `S3_ACCESS_KEY_ID`, `S3_SECRET_KEY` and `S3_SESSION_TOKEN` variables from
 the configuration.
 
 When running with Docker, the above environment variables can be set in a file 
@@ -210,8 +211,8 @@ docker run --env-file ./settings --publish 80:80 --name nginx-plus-s3-gateway \
 allow you to assign a role to a compute so that other AWS services can trust
 the instance without having to store authentication keys in the compute 
 instance. This is useful for the gateway because it allows us to run the
-gateway without storing an unchanging `S3_ACCESS_KEY_ID` and `S3_SECRET_KEY` 
-in a file on disk or in an easily read environment variable.
+gateway without storing an unchanging `S3_ACCESS_KEY_ID`, `S3_SECRET_KEY` and 
+`S3_SESSION_TOKEN` in a file on disk or in an easily read environment variable.
 
 Instance profiles work by providing credentials to the instance via the
 [AWS Metadata API](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html).
@@ -224,7 +225,7 @@ Following the [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/User
 we can create a IAM role and launch an instance associated with it. On that
 instance, if we run the gateway as a Systemd service there are no additional
 steps. We just run the install script without specifying the
-`S3_ACCESS_KEY_ID` and `S3_SECRET_KEY` environment variables.
+`S3_ACCESS_KEY_ID`, `S3_SECRET_KEY` and `S3_SESSION_TOKEN` environment variables.
 
 However, if we want to run the gateway as a container instance on that 
 EC2 instance, then we will need to run the following command using the AWS
@@ -236,7 +237,7 @@ aws ec2 modify-instance-metadata-options --instance-id <instance id> \
 ```
 
 After that has been run we can start the container normally and omit the
-`S3_ACCESS_KEY_ID` and `S3_SECRET_KEY` environment variables.
+`S3_ACCESS_KEY_ID`, `S3_SECRET_KEY` and `S3_SESSION_TOKEN` environment variables.
 
 ### Running in ECS with an IAM Policy
 
@@ -370,4 +371,4 @@ error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 4
 ```
 
 ### Error `403 Access Denied` for AWS Accounts with MFA Enabled
-The REST authentication method used in this container does not work with AWS IAM roles that have MFA enabled for authentication. Please use AWS IAM role credentials that do not have MFA enabled. 
+The REST authentication method used in this container does not work with AWS IAM roles that have MFA enabled for authentication. Please use AWS IAM role credentials that do not have MFA enabled. 

settings.example

@@ -1,6 +1,7 @@
 S3_BUCKET_NAME=my-bucket
 S3_ACCESS_KEY_ID=ZZZZZZZZZZZZZZZZZZZZ
 S3_SECRET_KEY=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+S3_SESSION_TOKEN=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
 S3_SERVER=s3-us-east-1.amazonaws.com
 S3_SERVER_PORT=443
 S3_SERVER_PROTO=https

standalone_ubuntu_oss_install.sh

@@ -44,6 +44,10 @@ else
   uses_iam_creds=0
 fi
 
+if [[ -v S3_SESSION_TOKEN ]]; then
+  echo "S3 Session token present"
+fi
+
 for name in ${required[@]}; do
   if [ -z ${!name+x} ]; then
       >&2 echo "Required ${name} environment variable missing"
@@ -182,6 +186,8 @@ if [ $uses_iam_creds -eq 0 ]; then
 S3_ACCESS_KEY_ID=${S3_ACCESS_KEY_ID}
 # AWS Secret access key
 S3_SECRET_KEY=${S3_SECRET_KEY}
+# AWS Session Token
+S3_SESSION_TOKEN=${S3_SESSION_TOKEN}
 EOF
 fi
 
@@ -281,6 +287,7 @@ if [ $uses_iam_creds -eq 0 ]; then
   cat >> "/etc/nginx/environment" << EOF
 env S3_ACCESS_KEY_ID;
 env S3_SECRET_KEY;
+env S3_SESSION_TOKEN;
 EOF
 fi
 

test.sh

@@ -276,6 +276,7 @@ MSYS_NO_PATHCONV=1 "${docker_cmd}" run \
   -e "S3_STYLE=virtual" \
   -e "S3_ACCESS_KEY_ID=unit_test" \
   -e "S3_SECRET_KEY=unit_test" \
+  -e "S3_SESSION_TOKEN=unit_test" \
   -e "S3_BUCKET_NAME=unit_test" \
   -e "S3_SERVER=unit_test" \
   -e "S3_SERVER_PROTO=https" \

test/unit/s3gateway_test.js

@@ -373,6 +373,7 @@ function testReadCredentialsWithAccessAndSecretKeySet() {
     let r = {};
     process.env['S3_ACCESS_KEY_ID'] = 'SOME_ACCESS_KEY';
     process.env['S3_SECRET_KEY'] = 'SOME_SECRET_KEY';
+    process.env['S3_SESSION_TOKEN'] = 'SOME_SESSION_TOKEN';
 
     try {
         var credentials = s3gateway.readCredentials(r);
@@ -382,7 +383,7 @@ function testReadCredentialsWithAccessAndSecretKeySet() {
         if (credentials.secretAccessKey !== process.env['S3_SECRET_KEY']) {
             throw 'static credentials do not match returned value [secretAccessKey]';
         }
-        if (credentials.sessionToken !== null) {
+        if (credentials.sessionToken !== process.env['S3_SESSION_TOKEN']) {
             throw 'static credentials do not match returned value [sessionToken]';
         }
         if (credentials.expiration !== null) {
@@ -392,6 +393,7 @@ function testReadCredentialsWithAccessAndSecretKeySet() {
     } finally {
         delete process.env.S3_ACCESS_KEY_ID;
         delete process.env.S3_SECRET_KEY;
+        delete process.env.S3_SESSION_TOKEN;
     }
 }
 
@@ -471,8 +473,10 @@ function testReadAndWriteCredentialsFromKeyValStore() {
 
     let accessKeyId = process.env['S3_ACCESS_KEY_ID'];
     let secretKey = process.env['S3_SECRET_KEY'];
+    let sessionToken = process.env['S3_SESSION_TOKEN'];
     delete process.env.S3_ACCESS_KEY_ID;
     delete process.env.S3_SECRET_KEY;
+    delete process.env.S3_SESSION_TOKEN
 
     try {
         let r = {
@@ -500,6 +504,7 @@ function testReadAndWriteCredentialsFromKeyValStore() {
     } finally {
         process.env['S3_ACCESS_KEY_ID'] = accessKeyId;
         process.env['S3_SECRET_KEY'] = secretKey;
+        process.env['S3_SESSION_TOKEN'] = sessionToken;
     }
 }