Send in x-amz-security-token header when configured (for use with IAM roles)

README.md

@@ -68,6 +68,14 @@ riofs [options] [bucketname] [mountpoint]
 
 * Send a TERM signal to unmount filesystem and terminate running RioFS instance (example: ```killall riofs```)
 
+* To use with IAM roles:
+
+    - acquire the credentials from http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLENAME] 
+
+    - in addition to the AWS_ACCESS_KEY_ID, AWS_SECRET_KEY environment variables, also assign the token to AWS_SESSION_TOKEN
+
+    - alternatively use the session_token element in the xml configuration file
+
 ### Known limitations
 
 * Appending data to an existing file is not supported.

riofs.conf.xml

@@ -50,6 +50,12 @@
     <access_key_id type="string">### AWS Access Key ID ###</access_key_id>
     <secret_access_key type="string">### AWS Secret Access Key ###</secret_access_key>
     -->
+
+    <!-- If using with IAM roles, use the AWS_SESSION_TOKEN environment variable or configuration file.
+         Uncomment the following line and replace ### strings with your data: -->
+    <!--
+    <session_token type="string">### Session Token ###</session_token>
+    -->
 </s3>
 
 <connection>

src/http_connection.c

@@ -670,6 +670,7 @@ gboolean http_connection_make_request (HttpConnection *con,
     gpointer ctx)
 {
     gchar *auth_str;
+    gchar *session_token;
     struct evhttp_request *req;
     gchar auth_key[300];
     time_t t;
@@ -690,6 +691,11 @@ gboolean http_connection_make_request (HttpConnection *con,
             return FALSE;
         }
 
+    if (conf_node_exists (application_get_conf (con->app), "s3.session_token")) {
+        session_token = conf_get_string (application_get_conf (con->app), "s3.session_token");
+        http_connection_add_output_header (con, "x-amz-security-token", session_token);
+    }
+
     // if this is the first request
     if (!parent_request_data) {
 

src/main.c

@@ -284,7 +284,7 @@ static void sigusr1_cb (G_GNUC_UNUSED evutil_socket_t sig, G_GNUC_UNUSED short e
         LOG_err (APP_LOG, "Failed to parse configuration file: %s", _app->conf_path);
         conf_destroy(conf_new);
     } else {
-        const gchar *copy_entries[] = {"s3.host", "s3.port", "s3.versioning", "s3.access_key_id", "s3.secret_access_key", "s3.bucket_name", NULL};
+        const gchar *copy_entries[] = {"s3.host", "s3.port", "s3.versioning", "s3.access_key_id", "s3.secret_access_key", "s3.session_token", "s3.bucket_name", NULL};
         int i;
 
         _app->conf = conf_new;
@@ -850,6 +850,9 @@ int main (int argc, char *argv[])
             return -1;
         }
     }
+    if (getenv("AWS_SESSION_TOKEN")) {
+        conf_set_string (app->conf, "s3.session_token", getenv ("AWS_SESSION_TOKEN"));
+    }
 
     // check if both strings are set
     if (!conf_get_string (app->conf, "s3.access_key_id") || !conf_get_string (app->conf, "s3.secret_access_key")) {