Skip to content

Support AWS STS (AWS_SESSION_TOKEN) for S3 Object Storage #50579

Duplicate of#35919
nextcloud/docker
#2364
@BornToBeRoot

Description

How to use GitHub

  • Please use the 👍 reaction to show that you are interested into the same feature.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe.

The current implementation of S3 Object Storage only supports static AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

For dynamic environments (Kubernetes / EKS) where you do not want to have long-lived credentials, you usually use a service to create / rotate the credentials on the fly (like HashiCorp Vault with AWS STS). AWS STS creates temporary, limited-privilege credentials to access resources like s3.

The credentials generated by AWS STS require an AWS_SESSION_TOKEN in addition to the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html

Describe the solution you'd like

Allow the AWS_SESSION_TOKEN as input for s3 object storage configuration.

e.g.

'objectstore' => [
        'class' => '\\OC\\Files\\ObjectStore\\S3',
        'arguments' => [
                'bucket' => 'my-nextcloud-store',
                'region' => 'us-east-1',
                'key' => 'XXX',
                'secret' => 'XXXAAA',
                'session_token' => 'XXXYYY',
        ],
],

The variable must also be configurable via the environment variables and the Helm chart (nextcloud.objectStore.s3.existingSecret)

https://github.com/nextcloud/helm/tree/main/charts/nextcloud#object-storage-as-primary-storage-configuration

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      Support AWS STS (AWS_SESSION_TOKEN) for S3 Object Storage · Issue #50579 · nextcloud/server