This adds the AWS client directly to Workhorse and a new configuration section for specifying credentials. This makes it possible to use S3 buckets with KMS encryption and proper MD5 checksums.
This is disabled by default. For this to be used:
-
GitLab Rails needs to send the
UseWorkhorseClientandRemoteTempObjectIDin the/authorizeendpoint. (gitlab!29389 (merged)) -
S3 configuration must be specified in
config.toml, or Rails must be configured to use IAM instance profiles (use_iam_profilein Fog connection parameters).
S3 sessions are created lazily and cached for 10 minutes to avoid unnecessary local I/O access. When IAM instance profiles are used, this also cuts down the number of HTTP requests needed to request AWS credentials.
Related issues:
Testing notes
- Created an AWS instance with the following IAM instance profile:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::stanhu-s3-workhorse-testing/*"
}
]
}- On LFS, artifacts, packages, and uploads, I configured the object store connections in the following way:
gitlab_rails['uploads_object_store_connection'] = {
'provider' => 'AWS',
'region' => 'us-west-2',
'use_iam_profile' => true
}
gitlab_rails['uploads_object_store_enabled'] = true
gitlab_rails['uploads_object_store_direct_upload'] = true
gitlab_rails['uploads_object_store_proxy_download'] = true
gitlab_rails['uploads_object_store_remote_directory'] = "stanhu-s3-workhorse-testing"