feat: add support for a credentials chain for minio access

If a static access key id and secret are not provided, instead
fallback to a pulling credentials from other places, in priority
order:

1. MINIO_ prefixed environment variables
2. AWS_ prefixed environment variables
3. a minio credentials file
4. an aws credentials file
5. EC2 instance metadata

This enables using temporary credentials that are auto-refreshed upon expiration.

Author: bohde

modules/storage/minio.go

@@ -96,8 +96,34 @@ func NewMinioStorage(ctx context.Context, cfg *setting.Storage) (ObjectStorage,
 		return nil, fmt.Errorf("invalid minio bucket lookup type: %s", config.BucketLookUpType)
 	}
 
+	// By default, use the static credentials
+	creds := credentials.NewStaticV4(config.AccessKeyID, config.SecretAccessKey, "")
+
+	// If the Access Key ID is empty, configure a credentials chain for S3 access
+	if config.AccessKeyID == "" {
+		chain := []credentials.Provider{
+			// configure based upon MINIO_ prefixed environment variables
+			&credentials.EnvMinio{},
+			// configure based upon AWS_ prefixed environment variables
+			&credentials.EnvAWS{},
+			// read credentials from MINIO_SHARED_CREDENTIALS_FILE
+			// environment variable, or default json config files
+			&credentials.FileMinioClient{},
+			// read credentials from AWS_SHARED_CREDENTIALS_FILE
+			// environment variable, or default credentials file
+			&credentials.FileAWSCredentials{},
+			// read IAM role from EC2 metadata endpoint if available
+			&credentials.IAM{
+				Client: &http.Client{
+					Transport: http.DefaultTransport,
+				},
+			},
+		}
+		creds = credentials.NewChainCredentials(chain)
+	}
+
 	minioClient, err := minio.New(config.Endpoint, &minio.Options{
-		Creds:        credentials.NewStaticV4(config.AccessKeyID, config.SecretAccessKey, ""),
+		Creds:        creds,
 		Secure:       config.UseSSL,
 		Transport:    &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: config.InsecureSkipVerify}},
 		Region:       config.Location,