Use separate client for credentials

Author: tustvold

object_store/src/aws/client.rs

@@ -230,10 +230,7 @@ impl S3Client {
     }
 
     async fn get_credential(&self) -> Result<Arc<AwsCredential>> {
-        self.config
-            .credentials
-            .get_credential(&self.client, &self.config.retry_config)
-            .await
+        self.config.credentials.get_credential().await
     }
 
     /// Make an S3 GET request <https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html>

object_store/src/aws/credential.rs

@@ -243,75 +243,90 @@ fn canonicalize_headers(header_map: &HeaderMap) -> (String, String) {
     (signed_headers, canonical_headers)
 }
 
+/// Provides credentials for use when signing requests
 #[derive(Debug)]
 pub enum CredentialProvider {
-    Static {
-        credential: Arc<AwsCredential>,
-    },
-    /// <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html>
-    Instance {
-        cache: TokenCache<Arc<AwsCredential>>,
-    },
-    WebIdentity {
-        cache: TokenCache<Arc<AwsCredential>>,
-        token: String,
-        role_arn: String,
-        session_name: String,
-        endpoint: String,
-    },
+    Static(StaticCredentialProvider),
+    Instance(InstanceCredentialProvider),
+    WebIdentity(WebIdentityProvider),
 }
 
 impl CredentialProvider {
-    pub async fn get_credential(
-        &self,
-        client: &Client,
-        retry_config: &RetryConfig,
-    ) -> Result<Arc<AwsCredential>> {
+    pub async fn get_credential(&self) -> Result<Arc<AwsCredential>> {
         match self {
-            CredentialProvider::Static { credential } => Ok(Arc::clone(credential)),
-            CredentialProvider::Instance { cache } => {
-                cache
-                    .get_or_insert_with(|| {
-                        const METADATA_ENDPOINT: &str = "http://169.254.169.254";
-                        instance_creds(client, retry_config, METADATA_ENDPOINT).map_err(
-                            |source| crate::Error::Generic {
-                                store: "S3",
-                                source,
-                            },
-                        )
-                    })
-                    .await
-            }
-            CredentialProvider::WebIdentity {
-                cache,
-                token,
-                role_arn,
-                session_name,
-                endpoint,
-            } => {
-                cache
-                    .get_or_insert_with(|| {
-                        web_identity(
-                            client,
-                            retry_config,
-                            token,
-                            role_arn,
-                            session_name,
-                            endpoint,
-                        )
-                        .map_err(|source| {
-                            crate::Error::Generic {
-                                store: "S3",
-                                source,
-                            }
-                        })
-                    })
-                    .await
-            }
+            CredentialProvider::Static(s) => Ok(Arc::clone(&s.credential)),
+            CredentialProvider::Instance(c) => c.get_credential().await,
+            CredentialProvider::WebIdentity(c) => c.get_credential().await,
         }
     }
 }
 
+/// A static set of credentials
+#[derive(Debug)]
+pub struct StaticCredentialProvider {
+    pub credential: Arc<AwsCredential>,
+}
+
+/// Credentials sourced from the instance metadata service
+///
+/// <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html>
+#[derive(Debug)]
+pub struct InstanceCredentialProvider {
+    pub cache: TokenCache<Arc<AwsCredential>>,
+    pub client: Client,
+    pub retry_config: RetryConfig,
+}
+
+impl InstanceCredentialProvider {
+    async fn get_credential(&self) -> Result<Arc<AwsCredential>> {
+        self.cache
+            .get_or_insert_with(|| {
+                const METADATA_ENDPOINT: &str = "http://169.254.169.254";
+                instance_creds(&self.client, &self.retry_config, METADATA_ENDPOINT)
+                    .map_err(|source| crate::Error::Generic {
+                        store: "S3",
+                        source,
+                    })
+            })
+            .await
+    }
+}
+
+/// Credentials sourced using AssumeRoleWithWebIdentity
+///
+/// <https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html>
+#[derive(Debug)]
+pub struct WebIdentityProvider {
+    pub cache: TokenCache<Arc<AwsCredential>>,
+    pub token: String,
+    pub role_arn: String,
+    pub session_name: String,
+    pub endpoint: String,
+    pub client: Client,
+    pub retry_config: RetryConfig,
+}
+
+impl WebIdentityProvider {
+    async fn get_credential(&self) -> Result<Arc<AwsCredential>> {
+        self.cache
+            .get_or_insert_with(|| {
+                web_identity(
+                    &self.client,
+                    &self.retry_config,
+                    &self.token,
+                    &self.role_arn,
+                    &self.session_name,
+                    &self.endpoint,
+                )
+                .map_err(|source| crate::Error::Generic {
+                    store: "S3",
+                    source,
+                })
+            })
+            .await
+    }
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "PascalCase")]
 struct InstanceCredentials {

object_store/src/aws/mod.rs

@@ -36,6 +36,7 @@ use bytes::Bytes;
 use chrono::{DateTime, Utc};
 use futures::stream::BoxStream;
 use futures::TryStreamExt;
+use reqwest::Client;
 use snafu::{OptionExt, ResultExt, Snafu};
 use std::collections::BTreeSet;
 use std::ops::Range;
@@ -44,7 +45,10 @@ use tokio::io::AsyncWrite;
 use tracing::info;
 
 use crate::aws::client::{S3Client, S3Config};
-use crate::aws::credential::{AwsCredential, CredentialProvider};
+use crate::aws::credential::{
+    AwsCredential, CredentialProvider, InstanceCredentialProvider,
+    StaticCredentialProvider, WebIdentityProvider,
+};
 use crate::multipart::{CloudMultiPartUpload, CloudMultiPartUploadImpl, UploadPart};
 use crate::{
     GetResult, ListResult, MultipartId, ObjectMeta, ObjectStore, Path, Result,
@@ -409,13 +413,13 @@ impl AmazonS3Builder {
         let credentials = match (self.access_key_id, self.secret_access_key, self.token) {
             (Some(key_id), Some(secret_key), token) => {
                 info!("Using Static credential provider");
-                CredentialProvider::Static {
+                CredentialProvider::Static(StaticCredentialProvider {
                     credential: Arc::new(AwsCredential {
                         key_id,
                         secret_key,
                         token,
                     }),
-                }
+                })
             }
             (None, Some(_), _) => return Err(Error::MissingAccessKeyId.into()),
             (Some(_), None, _) => return Err(Error::MissingSecretAccessKey.into()),
@@ -434,19 +438,30 @@ impl AmazonS3Builder {
 
                     let endpoint = format!("https://sts.{}.amazonaws.com", region);
 
-                    CredentialProvider::WebIdentity {
+                    // Disallow non-HTTPs requests
+                    let client = Client::builder().https_only(true).build().unwrap();
+
+                    CredentialProvider::WebIdentity(WebIdentityProvider {
                         cache: Default::default(),
                         token,
                         session_name,
                         role_arn,
                         endpoint,
-                    }
+                        client,
+                        retry_config: self.retry_config.clone(),
+                    })
                 }
                 _ => {
                     info!("Using Instance credential provider");
-                    CredentialProvider::Instance {
+
+                    // The instance metadata endpoint is access over HTTP
+                    let client = Client::builder().https_only(false).build().unwrap();
+
+                    CredentialProvider::Instance(InstanceCredentialProvider {
                         cache: Default::default(),
-                    }
+                        client,
+                        retry_config: self.retry_config.clone(),
+                    })
                 }
             },
         };