Description
How to use GitHub
- Please use the 👍 reaction to show that you are interested into the same feature.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Is your feature request related to a problem? Please describe.
The current implementation of S3 Object Storage only supports static AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.
For dynamic environments (Kubernetes / EKS) where you do not want to have long-lived credentials, you usually use a service to create / rotate the credentials on the fly (like HashiCorp Vault with AWS STS). AWS STS creates temporary, limited-privilege credentials to access resources like s3.
The credentials generated by AWS STS require an AWS_SESSION_TOKEN
in addition to the AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.
https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
Describe the solution you'd like
Allow the AWS_SESSION_TOKEN
as input for s3 object storage configuration.
e.g.
'objectstore' => [
'class' => '\\OC\\Files\\ObjectStore\\S3',
'arguments' => [
'bucket' => 'my-nextcloud-store',
'region' => 'us-east-1',
'key' => 'XXX',
'secret' => 'XXXAAA',
'session_token' => 'XXXYYY',
],
],
The variable must also be configurable via the environment variables and the Helm chart (nextcloud.objectStore.s3.existingSecret
)
Activity