Update AWS S3 Extension to allow for use of credential chain. (#969)

aportillo83 · aportillo-fingercheck · dluc · web-flow · commit b3b285a4637f · 2025-01-08T09:54:10.000-08:00
## Motivation and Context (Why the change? What's the scenario?) Allow the use of [instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) for authentication and the proper use of [credential chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html). ## High level description (Approach, Design) Added AWS S3 Extension CredentialChain authentication method to use default credentials --------- Co-authored-by: Armando Portill <aportillo@fingercheck.com> Co-authored-by: Devis Lucato <dluc@users.noreply.github.com> Co-authored-by: Devis Lucato <devis@microsoft.com>
diff --git a/extensions/AWS/S3/AWSS3Config.cs b/extensions/AWS/S3/AWSS3Config.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft. All rights reserved.
+﻿// Copyright (c) Microsoft. All rights reserved.
 
 using System.Text.Json.Serialization;
 
@@ -13,6 +13,7 @@ public enum AuthTypes
     {
         Unknown = -1,
         AccessKey,
+        CredentialChain,
     }
 
     public AuthTypes Auth { get; set; } = AuthTypes.Unknown;
@@ -45,14 +46,17 @@ public void Validate()
             throw new ConfigurationException($"Authentication type '{this.Auth}' undefined or not supported");
         }
 
-        if (string.IsNullOrWhiteSpace(this.AccessKey))
+        if (this.Auth == AuthTypes.AccessKey)
         {
-            throw new ConfigurationException("S3 Access Key is undefined");
-        }
+            if (string.IsNullOrWhiteSpace(this.AccessKey))
+            {
+                throw new ConfigurationException("S3 Access Key is undefined");
+            }
 
-        if (string.IsNullOrWhiteSpace(this.SecretAccessKey))
-        {
-            throw new ConfigurationException("S3 Secret Key Access undefined");
+            if (string.IsNullOrWhiteSpace(this.SecretAccessKey))
+            {
+                throw new ConfigurationException("S3 Secret Key Access undefined");
+            }
         }
 
         if (string.IsNullOrWhiteSpace(this.BucketName))
diff --git a/extensions/AWS/S3/AWSS3Storage.cs b/extensions/AWS/S3/AWSS3Storage.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft. All rights reserved.
+﻿// Copyright (c) Microsoft. All rights reserved.
 
 using System;
 using System.Collections.Generic;
@@ -43,6 +43,15 @@ public AWSS3Storage(
                 );
                 break;
             }
+            case AWSS3Config.AuthTypes.CredentialChain:
+            {
+                this._client = new AmazonS3Client(new AmazonS3Config
+                {
+                    ServiceURL = config.Endpoint,
+                    LogResponse = true
+                });
+                break;
+            }
 
             default:
                 this._log.LogCritical("Authentication type '{0}' undefined or not supported", config.Auth);
diff --git a/service/Service/appsettings.json b/service/Service/appsettings.json
@@ -242,6 +242,7 @@
         "HttpClientName": ""
       },
       "AWSS3": {
+        // "AccessKey" or "CredentialChain". For other options see <AWSS3Config>.
         "Auth": "AccessKey",
         // AccessKey ID, required when using AccessKey auth
         // Note: you can use an env var 'KernelMemory__Services__AWSS3__AccessKey' to set this
