working fargate credentials

els-tmiller · els-tmiller · commit b51f81652de1 · 2025-10-17T13:17:19.000-04:00
diff --git a/README.md b/README.md
@@ -184,6 +184,20 @@ export IMMUDB_S3_ENDPOINT="https://${IMMUDB_S3_BUCKET_NAME}.s3.${IMMUDB_S3_LOCAT
 ./immudb
 ```
 
+If using Fargate, the credentials URL can be sourced automatically:
+
+```bash
+export IMMUDB_S3_STORAGE=true
+export IMMUDB_S3_ROLE_ENABLED=true
+export IMMUDB_S3_FARGATE_CREDENTIALS=true
+export IMMUDB_S3_BUCKET_NAME=<BUCKET NAME>
+export IMMUDB_S3_LOCATION=<AWS S3 REGION>
+export IMMUDB_S3_PATH_PREFIX=testing-001
+export IMMUDB_S3_ENDPOINT="https://${IMMUDB_S3_BUCKET_NAME}.s3.${IMMUDB_S3_LOCATION}.amazonaws.com"
+
+./immudb
+```
+
 Optionally, you can specify the exact role immudb should be using with:
 
 ```bash
diff --git a/cmd/immudb/command/init.go b/cmd/immudb/command/init.go
@@ -89,7 +89,7 @@ func (cl *Commandline) setupFlags(cmd *cobra.Command, options *server.Options) {
 	cmd.Flags().String("s3-path-prefix", "", "s3 path prefix (multiple immudb instances can share the same bucket if they have different prefixes)")
 	cmd.Flags().Bool("s3-external-identifier", false, "use the remote identifier if there is no local identifier")
 	cmd.Flags().String("s3-instance-metadata-url", "http://169.254.169.254", "s3 instance metadata url")
-	cmd.Flags().String("s3-fargate-credentials-url", "", "s3 fargate credentials url")
+	cmd.Flags().String("s3-fargate-credentials", "false", "s3 fargate credentials true/false")
 	cmd.Flags().Int("max-sessions", 100, "maximum number of simultaneously opened sessions")
 	cmd.Flags().Duration("max-session-inactivity-time", 3*time.Minute, "max session inactivity time is a duration after which an active session is declared inactive by the server. A session is kept active if server is still receiving requests from client (keep-alive or other methods)")
 	cmd.Flags().Duration("max-session-age-time", 0, "the current default value is infinity. max session age time is a duration after which session will be forcibly closed")
diff --git a/cmd/immudb/command/parse_options.go b/cmd/immudb/command/parse_options.go
@@ -106,6 +106,7 @@ func parseOptions() (options *server.Options, err error) {
 	s3PathPrefix := viper.GetString("s3-path-prefix")
 	s3ExternalIdentifier := viper.GetBool("s3-external-identifier")
 	s3MetadataURL := viper.GetString("s3-instance-metadata-url")
+	s3FargateCredentials := viper.GetBool("s3-fargate-credentials")
 
 	remoteStorageOptions := server.DefaultRemoteStorageOptions().
 		WithS3Storage(s3Storage).
@@ -118,7 +119,8 @@ func parseOptions() (options *server.Options, err error) {
 		WithS3Location(s3Location).
 		WithS3PathPrefix(s3PathPrefix).
 		WithS3ExternalIdentifier(s3ExternalIdentifier).
-		WithS3InstanceMetadataURL(s3MetadataURL)
+		WithS3InstanceMetadataURL(s3MetadataURL).
+		WithS3FargateCredentials(s3FargateCredentials)
 
 	sessionOptions := sessions.DefaultOptions().
 		WithMaxSessions(viper.GetInt("max-sessions")).
diff --git a/embedded/remotestorage/s3/s3.go b/embedded/remotestorage/s3/s3.go
@@ -57,7 +57,7 @@ type Storage struct {
 	awsInstanceMetadataURL string
 	awsCredsRefreshPeriod  time.Duration
 
-	fargateCredentialsURL string
+	fargateCredentials bool
 }
 
 var (
@@ -101,7 +101,7 @@ func Open(
 	location string,
 	prefix string,
 	awsInstanceMetadataURL string,
-	fargateCredentialsURL string,
+	fargateCredentials bool,
 ) (remotestorage.Storage, error) {
 
 	// Endpoint must always end with '/'
@@ -140,7 +140,7 @@ func Open(
 		},
 		awsInstanceMetadataURL: awsInstanceMetadataURL,
 		awsCredsRefreshPeriod:  time.Minute,
-		fargateCredentialsURL:  fargateCredentialsURL,
+		fargateCredentials:     fargateCredentials,
 	}
 
 	err := s3storage.getRoleCredentials()
@@ -811,9 +811,15 @@ func (s *Storage) getRoleCredentials() error {
 }
 
 func (s *Storage) requestCredentials() (string, string, string, error) {
-	if s.fargateCredentialsURL != "" {
+	if s.fargateCredentials {
 		// Use Fargate credentials
-		fargateReq, err := http.NewRequest("GET", s.fargateCredentialsURL, nil)
+		fargateCredentialsRelativeURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
+		if fargateCredentialsRelativeURI == "" {
+      return "", "", "", errors.New(fmt.Sprintf("environment variable %s is not set or empty", "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"))
+    }
+		fargateCredentialsURL := fmt.Sprintf("%s%s", "http://169.254.170.2", fargateCredentialsRelativeURI)
+
+		fargateReq, err := http.NewRequest("GET", fargateCredentialsURL, nil)
 		if err != nil {
 			return "", "", "", errors.New("cannot form fargate credentials request")
 		}
diff --git a/pkg/server/options.go b/pkg/server/options.go
@@ -98,7 +98,7 @@ type RemoteStorageOptions struct {
 	S3PathPrefix          string
 	S3ExternalIdentifier  bool
 	S3InstanceMetadataURL string
-	FargateCredentialsURL string
+	FargateCredentials    bool
 }
 
 type ReplicationOptions struct {
@@ -371,7 +371,11 @@ func (o *Options) String() string {
 		opts = append(opts, "S3 storage")
 		if o.RemoteStorageOptions.S3RoleEnabled {
 			opts = append(opts, rightPad("   role auth", o.RemoteStorageOptions.S3RoleEnabled))
-			opts = append(opts, rightPad("   role name", o.RemoteStorageOptions.S3Role))
+			if o.RemoteStorageOptions.FargateCredentials {
+				opts = append(opts, rightPad("   fargate creds", o.RemoteStorageOptions.FargateCredentials))
+			} else {
+				opts = append(opts, rightPad("   role name", o.RemoteStorageOptions.S3Role))
+			}
 		}
 		opts = append(opts, rightPad("   endpoint", o.RemoteStorageOptions.S3Endpoint))
 		opts = append(opts, rightPad("   bucket name", o.RemoteStorageOptions.S3BucketName))
@@ -380,7 +384,9 @@ func (o *Options) String() string {
 		}
 		opts = append(opts, rightPad("   prefix", o.RemoteStorageOptions.S3PathPrefix))
 		opts = append(opts, rightPad("   external id", o.RemoteStorageOptions.S3ExternalIdentifier))
-		opts = append(opts, rightPad("   metadata url", o.RemoteStorageOptions.S3InstanceMetadataURL))
+		if !o.RemoteStorageOptions.FargateCredentials {
+		  opts = append(opts, rightPad("   metadata url", o.RemoteStorageOptions.S3InstanceMetadataURL))
+		}
 	}
 	if o.AdminPassword == auth.SysAdminPassword {
 		opts = append(opts, "----------------------------------------")
@@ -600,8 +606,8 @@ func (opts *RemoteStorageOptions) WithS3InstanceMetadataURL(url string) *RemoteS
 	return opts
 }
 
-func (opts *RemoteStorageOptions) WithFargateCredentialsURL(fargateCredentialsURL string) *RemoteStorageOptions {
-	opts.FargateCredentialsURL = fargateCredentialsURL
+func (opts *RemoteStorageOptions) WithS3FargateCredentials(fargateCredentials bool) *RemoteStorageOptions {
+	opts.FargateCredentials = fargateCredentials
 	return opts
 }
 
diff --git a/pkg/server/remote_storage.go b/pkg/server/remote_storage.go
@@ -60,7 +60,7 @@ func (s *ImmuServer) createRemoteStorageInstance() (remotestorage.Storage, error
 			s.Options.RemoteStorageOptions.S3Location,
 			s.Options.RemoteStorageOptions.S3PathPrefix,
 			s.Options.RemoteStorageOptions.S3InstanceMetadataURL,
-			s.Options.RemoteStorageOptions.FargateCredentialsURL,
+			s.Options.RemoteStorageOptions.FargateCredentials,
 		)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ func (s *ImmuServer) createRemoteStorageInstance() (remotestorage.Storage, error`
`60`	`60`	`s.Options.RemoteStorageOptions.S3Location,`
`61`	`61`	`s.Options.RemoteStorageOptions.S3PathPrefix,`
`62`	`62`	`s.Options.RemoteStorageOptions.S3InstanceMetadataURL,`
`63`		`- s.Options.RemoteStorageOptions.FargateCredentialsURL,`
	`63`	`+ s.Options.RemoteStorageOptions.FargateCredentials,`
`64`	`64`	`)`
`65`	`65`	`}`
`66`	`66`