Allow IAM Session Tokens for S3 cache client credentials (!4526) · Merge requests · GitLab.org / gitlab-runner · GitLab

Mike Heyns requested to merge mike.heyns/gitlab-runner:s3-session-tokens into main Dec 10, 2023

What does this MR do?

When using access keys for authentication, we currently provide the Minio S3 Client Credentials a hardcoded empty string for Session Token.

This MR extends the configuration by offering an additional input for specifying an AWS IAM Session Token if needed.

Why was this MR needed?

Specifying only Access Key ID and Secret Key is fine when using long-lived IAM credentials because only the Access Key ID and Secret Key are issued.
When operating in an environment that uses temporary IAM credentials (usually issued through STS IAM Role Assumptions), a Session Token also needs to be provided.

What's the best way to test this MR?

Issue temporary credentials for a role that has S3 Bucket permissions
- aws sts assume-role --role-arn arn:aws:iam::123456789123:role/myAwesomeRole --role-session-name test --duration-seconds 900
Configure the runner using the printed credentials (including the session token)
- Test a single build using the run-single command

Before this change (only access key id and secret key supplied)

After this change (being able to specify a session token too)

What are the relevant issue numbers?

None, because it is a pretty small fix. I can create one if it's really necessary.

Edited Dec 10, 2023 by Mike Heyns