Only use anon credentials for public s3 buckets (#187)

* Only use anon credentials for public s3 buckets Fixes #188
meltwater · Oct 1, 2021 · 080c2e5 · 080c2e5
1 parent 6ac4c7a
commit 080c2e5
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Nothing.
 
+## [1.2.2] - 2021-10-01
+
+- [#188](https://github.com/meltwater/drone-cache/pull/188) v1.2.0 breaks EC2 IAM role bucket access
+
 ## [1.2.1] - 2021-09-30
 
 ### Added

diff --git a/README.md b/README.md
@@ -180,6 +180,7 @@ GLOBAL OPTIONS:
    --path-style                          AWS path style to use for bucket paths. (true for minio, false for aws) (default: false) [$PLUGIN_PATH_STYLE, $AWS_PLUGIN_PATH_STYLE]
    --acl value                           upload files with acl (private, public-read, ...) (default: "private") [$PLUGIN_ACL, $AWS_ACL]
    --encryption value                    server-side encryption algorithm, defaults to none. (AES256, aws:kms) [$PLUGIN_ENCRYPTION, $AWS_ENCRYPTION]
+   --s3-bucket-public value              Set to use anonymous credentials with public S3 bucket [$PLUGIN_S3_BUCKET_PUBLIC, $S3_BUCKET_PUBLIC]
    --sts-endpoint value                  Custom STS endpoint for IAM role assumption [$PLUGIN_STS_ENDPOINT, $AWS_STS_ENDPOINT]
    --role-arn value                      AWS IAM role ARN to assume [$PLUGIN_ASSUME_ROLE_ARN, $AWS_ASSUME_ROLE_ARN]
    --gcs.api-key value                   Google service account API key [$PLUGIN_API_KEY, $GCP_API_KEY]

diff --git a/main.go b/main.go
@@ -363,6 +363,11 @@ func main() {
 			Usage:   "server-side encryption algorithm, defaults to none. (AES256, aws:kms)",
 			EnvVars: []string{"PLUGIN_ENCRYPTION", "AWS_ENCRYPTION"},
 		},
+		&cli.StringFlag{
+			Name:    "s3-bucket-public",
+			Usage:   "Set to use anonymous credentials with public S3 bucket",
+			EnvVars: []string{"PLUGIN_S3_BUCKET_PUBLIC", "S3_BUCKET_PUBLIC"},
+		},
 		&cli.StringFlag{
 			Name:    "sts-endpoint",
 			Usage:   "Custom STS endpoint for IAM role assumption",
@@ -546,6 +551,7 @@ func run(c *cli.Context) error {
 			Endpoint:    c.String("endpoint"),
 			Key:         c.String("access-key"),
 			PathStyle:   c.Bool("path-style"),
+			Public:      c.Bool("s3-bucket-public"),
 			Region:      c.String("region"),
 			Secret:      c.String("secret-key"),
 			StsEndpoint: c.String("sts-endpoint"),

diff --git a/storage/backend/s3/config.go b/storage/backend/s3/config.go
@@ -30,4 +30,5 @@ type Config struct {
 	Secret string
 
 	PathStyle bool // Use path style instead of domain style. Should be true for minio and false for AWS.
+	Public    bool
 }
diff --git a/storage/backend/s3/s3.go b/storage/backend/s3/s3.go
@@ -36,7 +36,11 @@ func New(l log.Logger, c Config, debug bool) (*Backend, error) {
 		Endpoint:         &c.Endpoint,
 		DisableSSL:       aws.Bool(!strings.HasPrefix(c.Endpoint, "https://")),
 		S3ForcePathStyle: aws.Bool(c.PathStyle),
-		Credentials:      credentials.AnonymousCredentials,
+	}
+
+	// Use anonymous credentials if the S3 bucket is public
+	if c.Public {
+		conf.Credentials = credentials.AnonymousCredentials
 	}
 
 	if c.Key != "" && c.Secret != "" {