Switch to AWS SDK for S3 cache access
What does this MR do?
This merge request does a number of things:
- Replaces the Minio S3 library in favor of the AWS SDK v2.
- Adds new S3 config options:
DualStack
andAccelerate
.
Minio enabled DualStack
by default, so we preserve that behavior to avoid breaking changes.
However, DualStack
must be disabled if you are using S3 Express (https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-one-zone.html).
Why was this MR needed?
The Minio AWS library doesn't support a number of items, such as:
- S3 Express One Zone
- The ability to configure
AWS_STS_ENDPOINT_URL
for AWS Secret Cloud
This new S3 client can be toggled off via the FF_USE_LEGACY_S3_CACHE_ADAPTER
feature flag.
What's the best way to test this MR?
Setup
- Create an IAM instance role associated with an EC2 instance.
- Create an S3 bucket.
- Create an S3 Express directory bucket (https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-getting-started.html).
- In AWS Key Management System (KMS), create a customer-managed keys
- Make sure the instance role has permissions to access the S3 bucket, S3 Express bucket, and KMS.
Example policies
S3
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::YOUR-BUCKET-HERE/*"
}
]
}
S3 Express
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessRegionalEndpointAPIs",
"Effect": "Allow",
"Action": [
"s3express:DeleteBucket",
"s3express:DeleteBucketPolicy",
"s3express:CreateBucket",
"s3express:PutBucketPolicy",
"s3express:GetBucketPolicy",
"s3express:ListAllMyDirectoryBuckets"
],
"Resource": "arn:aws:s3express:YOUR-REGION:YOUR-ACCOUNT:bucket/YOUR-S3-EXPRESS--x-s3/*"
},
{
"Sid": "AllowCreateSession",
"Effect": "Allow",
"Action": "s3express:CreateSession",
"Resource": "*"
}
]
}
KMS
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:DescribeCustomKeyStores",
"kms:ListKeys",
"kms:DeleteCustomKeyStore",
"kms:GenerateRandom",
"kms:ListRetirableGrants",
"kms:UpdateCustomKeyStore",
"kms:ListAliases",
"kms:DisconnectCustomKeyStore",
"kms:CreateKey",
"kms:ConnectCustomKeyStore",
"kms:CreateCustomKeyStore"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "kms:*",
"Resource": "arn:aws:kms:YOUR-REGION:YOUR-ACCOUNT-ID:key/YOUR-KEY-ID"
}
]
}
Test cases | Sample TOML config | Pass? |
---|---|---|
Static credentials | [runners.cache.s3] AccessKey = "REDACTED" SecretKey = "REDACTED" BucketName = "example" BucketLocation = "us-west-2" |
|
IAM instance profile | [runners.cache.s3] ServerAddress = "example-s3.amazonaws.com" BucketName = "example" BucketLocation = "us-west-2" |
|
IAM instance profile w/ dual-stack disabled | [runners.cache.s3] ServerAddress = "example-s3.amazonaws.com" BucketName = "example" BucketLocation = "us-west-2" DualStack = false |
|
KMS encryption enabled | [runners.cache.s3] ServerAddress = "example-s3.amazonaws.com" BucketName = "example" BucketLocation = "us-west-2" ServerSideEncryption = "KMS" ServerSideEncryptionKeyID = "arn:aws:kms:REDACTED" |
|
S3 Transfer Acceleration | [runners.cache.s3] BucketName = "example" BucketLocation = "us-west-2" Accelerate = true |
|
S3 Transfer Acceleration w/ endpoint | [runners.cache.s3] ServerAddress = "example-s3-accelerate.amazonaws.com" BucketName = "example" BucketLocation = "us-west-2" ServerSideEncryption = "KMS" ServerSideEncryptionKeyID = "arn:aws:kms:REDACTED" |
|
S3 Express download/upload | [runners.cache.s3] BucketName = "example-express--usw2-az1--x-s3" BucketLocation = "us-west-2" DualStack = false |
|
Local Minio | [runners.cache.s3] ServerAddress = "127.0.0.1:9000" AccessKey = "REDACTED" SecretKey = "REDACTED" BucketName = "runner" BucketLocation = "gdk" |
What are the relevant issue numbers?
Relates to #37394 (closed)
Edited by Stan Hu