Skip to content

Using instance role with custom AWS ServerAddress broken for S3 cache

Summary

Due to the conditionals in the runner minio code, using instance roles (i.e. not passing s3.AccessKey and s3.SecretKey) with custom AWS endpoints (i.e. not s3.amazonaws.com) doesn't work. s3.amazonaws.com is essentially hard-coded

The docs say:

For Amazon’s S3 service, the ServerAddress should always be s3.amazonaws.com. The Minio S3 client will get bucket metadata and modify the URL to point to the valid region (eg. s3-eu-west-1.amazonaws.com) itself.

Steps to reproduce

Use something like the following in config.toml:

[runners.cache]
  Type = "s3"
  Path = "path/to/prefix"
  Shared = false
  [runners.cache.s3]
    ServerAddress = "s3.customaws.other"
    BucketName = "runners-cache"
    BucketLocation = "eu-iso-west-1"
    Insecure = false

and cache things in your gitlab-ci.yml

Actual behavior

Tries to access cache at s3.amazonaws.com due to the following code:

if s3.ShouldUseIAMCredentials() {
		iam := credentials.NewIAM("")
		client, err = newMinioWithCredentials(DefaultAWSS3Server, iam, true, "")
	} else {
		client, err = newMinio(s3.ServerAddress, s3.AccessKey, s3.SecretKey, !s3.Insecure)
	}

Expected behavior

Accesses cache at s3.customaws.other

The Minio S3 client should get bucket metadata and modify the URL to point to the valid region (eg. s3-eu-iso-west-1.customaws.other) itself

Potential fix

The expected behavior could maybe be realized by altering the code to be something like:

if s3.ShouldUseIAMCredentials() {
		iam := credentials.NewIAM("")
		client, err = newMinioWithCredentials(s3.ServerAddress, iam, true, "")
	} else {
		client, err = newMinio(s3.ServerAddress, s3.AccessKey, s3.SecretKey, !s3.Insecure)
	}

but I don't fully understand the ramifications of making an alteration such as this.

Environment description

Using Kubernetes runner (deployed without helm chart) with Kubernetes executor alongside self-hosted GitLab CE 9.1.4 with a custom AWS DNS suffix and region.

Used GitLab Runner version

11.9.1 
Version:      11.9.1
Git revision: de08a4bb
Git branch:   11-9-stable
GO version:   go1.8.7
Built:        2019-04-03T23:55:42+0000
OS/Arch:      linux/amd64
Edited by Casey Vockrodt