Skip to content

Switch to AWS SDK for S3 cache access

Stan Hu requested to merge sh-use-aws-sdk-v2-s3 into main

What does this MR do?

This merge request does a number of things:

  1. Replaces the Minio S3 library in favor of the AWS SDK v2.
  2. Adds new S3 config options: DualStack and Accelerate.

Minio enabled DualStack by default, so we preserve that behavior to avoid breaking changes.

However, DualStack must be disabled if you are using S3 Express (https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-one-zone.html).

Why was this MR needed?

The Minio AWS library doesn't support a number of items, such as:

  • S3 Express One Zone
  • The ability to configure AWS_STS_ENDPOINT_URL for AWS Secret Cloud

This new S3 client can be toggled off via the FF_USE_LEGACY_S3_CACHE_ADAPTER feature flag.

What's the best way to test this MR?

Setup

  1. Create an IAM instance role associated with an EC2 instance.
  2. Create an S3 bucket.
  3. Create an S3 Express directory bucket (https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-getting-started.html).
  4. In AWS Key Management System (KMS), create a customer-managed keys
  5. Make sure the instance role has permissions to access the S3 bucket, S3 Express bucket, and KMS.

Example policies

S3
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::YOUR-BUCKET-HERE/*"
        }
    ]
}

S3 Express

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowAccessRegionalEndpointAPIs",
			"Effect": "Allow",
			"Action": [
				"s3express:DeleteBucket",
				"s3express:DeleteBucketPolicy",
				"s3express:CreateBucket",
				"s3express:PutBucketPolicy",
				"s3express:GetBucketPolicy",
				"s3express:ListAllMyDirectoryBuckets"
			],
			"Resource": "arn:aws:s3express:YOUR-REGION:YOUR-ACCOUNT:bucket/YOUR-S3-EXPRESS--x-s3/*"
		},
		{
			"Sid": "AllowCreateSession",
			"Effect": "Allow",
			"Action": "s3express:CreateSession",
			"Resource": "*"
		}
	]
}

KMS

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"kms:DescribeCustomKeyStores",
				"kms:ListKeys",
				"kms:DeleteCustomKeyStore",
				"kms:GenerateRandom",
				"kms:ListRetirableGrants",
				"kms:UpdateCustomKeyStore",
				"kms:ListAliases",
				"kms:DisconnectCustomKeyStore",
				"kms:CreateKey",
				"kms:ConnectCustomKeyStore",
				"kms:CreateCustomKeyStore"
			],
			"Resource": "*"
		},
		{
			"Sid": "VisualEditor1",
			"Effect": "Allow",
			"Action": "kms:*",
			"Resource": "arn:aws:kms:YOUR-REGION:YOUR-ACCOUNT-ID:key/YOUR-KEY-ID"
		}
	]
}
Test cases Sample TOML config Pass?
Static credentials [runners.cache.s3]
AccessKey = "REDACTED"
SecretKey = "REDACTED"
BucketName = "example"
BucketLocation = "us-west-2"
IAM instance profile [runners.cache.s3]
ServerAddress = "example-s3.amazonaws.com"
BucketName = "example"
BucketLocation = "us-west-2"
IAM instance profile w/ dual-stack disabled [runners.cache.s3]
ServerAddress = "example-s3.amazonaws.com"
BucketName = "example"
BucketLocation = "us-west-2"
DualStack = false
KMS encryption enabled [runners.cache.s3]
ServerAddress = "example-s3.amazonaws.com"
BucketName = "example"
BucketLocation = "us-west-2"
ServerSideEncryption = "KMS"
ServerSideEncryptionKeyID = "arn:aws:kms:REDACTED"
S3 Transfer Acceleration [runners.cache.s3]
BucketName = "example"
BucketLocation = "us-west-2"
Accelerate = true
S3 Transfer Acceleration w/ endpoint [runners.cache.s3]
ServerAddress = "example-s3-accelerate.amazonaws.com"
BucketName = "example"
BucketLocation = "us-west-2"
ServerSideEncryption = "KMS"
ServerSideEncryptionKeyID = "arn:aws:kms:REDACTED"
S3 Express download/upload [runners.cache.s3]
BucketName = "example-express--usw2-az1--x-s3"
BucketLocation = "us-west-2"
DualStack = false
Local Minio [runners.cache.s3]
ServerAddress = "127.0.0.1:9000"
AccessKey = "REDACTED"
SecretKey = "REDACTED"
BucketName = "runner"
BucketLocation = "gdk"

What are the relevant issue numbers?

Relates to #37394 (closed)

Edited by Stan Hu

Merge request reports

Loading