Skip to content

Explicit configuration for cache s3 authentication type

John Cai requested to merge jc-enable-iam-separately into main

What does this MR do?

Currently, when a customer is using the s3 cache, the ServerAddress is not honored if IAM is being used. This MR fixes that by passing in the ServerAddress to the initialization call that creates the S3 Client.

There is also a wider problem of the s3 cache configuration being a little confusing. If ServerAddress, AccessKey, or SecretKey are blank, IAM is used. Otherwise, root credentials are used.

To improve this, we will add a new field AuthenticationType where the user can explicitly indicate which authentication type should be used.

Why was this MR needed?

Certain customers need to specify a custom S3 server address.

What's the best way to test this MR?

  1. Create a job with cache enabled. Put in some non s3.amazonaws.com value for the ServerAddress.
config.toml 
[[runners]]
  name = "my-runner"
  url = "https://gitlab.com/"
  token = "j8y53CNvsxHCsi9R_jOuq"
  executor = "shell"
  [runners.custom_build_dir]
  [runners.cache]
    Type = "s3"
    [runners.cache.s3]
      ServerName = "s3.my-custom-url.com"
      AuthenticationType = "IAM"
      BucketName = "mybucket"
      BucketLocation = "us-west-1"
.gitlab-ci.yaml 
cache:
  key: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"
  paths:
    - cached_file

job:
  script:
    - echo "generating file to be cached if it isn't cached."
    - if [ ! -f cached_file ]; then echo 'some important data' > cached_file; else echo "Reusing cached_file."; fi;

When you run the job, you should see an error message with the custom url in the logs indicating the ServerAddress got passed into the API call.

WARNING: Retrying...                                error=Put "https://s3.my-custom-url.com/mybucket/cached_file/project/28145097/job-china-sws?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA3M5AY5I232KN3JF5%2F20210830%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210830T171909Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJIMEYCIQCDriDdOzEirhWEHl2feSQH30VZmrL%2FXDSTUiTFDyuGEwIhAIKGq9IK2UZCTg3iTLNtEam9%2FER5ZX%2B%2F1kDaQRJjC0RlKoMECML%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMNzgzNjMxODM3NzQ5IgzFAvKhmdvXdEgtrGQq1wOsYKKPHryVee%2Br8pj00SVtV%2FN9pbeWAEy1RmYQp2dWEGVqL%2B%2FvwhMsb23rfMFQ2QgyxSj05agQmxKfL1bx8QUKeX%2BqVUaUIOSgKZwCqxacphNb2V%2BqEqMAbU4pvNN7cN1zY2eJ7YoAgGNzd6SrcPGeZZmLzsAadedrCJSQznEhOzLruNLQKVGx8unUJODuLANKYUnfkrLgkdbfmU%2FO1qikCpjsW7pfcWOI61bLAB8eZL2RXr0rkhAIJHWYG%2Fl%2BHbxmENrk6T%2FgTpP7ZoGnL3Vd6DvGMulMxXROTdsmGKptzKdUdpzhl3WpA4IPX0h4NzvQQRYURDbVrrDxpCWV99cVIH7ctS%2FqbUMQpKMFPNxY5YjHny1yLGPgwkN3W9bfmwLzbk3SJGfpLJo62UqCG3LxzkDlmvhGInCiPVsHewcHXVCJDBXGmdp4%2BggobxFQMG5%2FUc60U4uRC9IKXddQOoAD6kybdrd19WxbzuVPanMzxdGGO28p08DWBLb%2FJ%2FjDmIboQKYSbnxR%2BlWzq%2BjXK0CPKTzDKOrV5ob33salNcTj%2BZYBqVOtRMkqvfhoQirIPxyYwSNz0jYHcFEVARLtUM6Z8Q4LDDT1zAVI87nWm02hBqEl2cVhSFQwn6C0iQY6pAFtzuZCvTLNRXsY4TITPtI8xRtpudBcaIn1HiimGby8w3NVpPpgq1nvSabXfEKlru28O%2FbOpzmQzEUJSrd0UloCooWR7t8jJhkC503yfvN6m8EPwYh%2FyQy%2BIKhADkmIsHlmLktM2auNpfKQojgbdUG60TDgk3xOQE7Ls04TCPhOw3t%2FJGPFs5N539TMJFD6iW5zYKu0Sd93Rcauoj4TrwP5S8%2BZaA%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=f8746c8e7e746623c8e86e34f60edcadad91675f2ea6de2cd8bab3083ddbfe5a": dial tcp: lookup customurl.whatever.com: no such host

To ensure that root credentials also work, repeat this process with

config.toml 
[[runners]]
  name = "my-runner"
  url = "https://gitlab.com/"
  token = "j8y53CNvsxHCsi9R_jOuq"
  executor = "shell"
  [runners.custom_build_dir]
  [runners.cache]
    Type = "s3"
    [runners.cache.s3]
      ServerName = "s3.my-custom-url.com"
      AuthenticationType = "credentials"
      AccessKey = "<fill this in>"
      SecretKey = "<fill this in>"
      BucketName = "mybucket"
      BucketLocation = "us-west-1"

What are the relevant issue numbers?

gitlab#336776 (closed)

Edited by John Cai

Merge request reports