codenotary
diff --git a/‎README.md‎
Lines changed: 23 additions & 0 deletions b/‎README.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎cmd/immudb/command/init.go‎
Lines changed: 6 additions & 0 deletions b/‎cmd/immudb/command/init.go‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎cmd/immudb/command/parse_options.go‎
Lines changed: 7 additions & 1 deletion b/‎cmd/immudb/command/parse_options.go‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎embedded/remotestorage/s3/s3.go‎
Lines changed: 160 additions & 15 deletions b/‎embedded/remotestorage/s3/s3.go‎
Lines changed: 160 additions & 15 deletions
@@ -181,6 +181,29 @@ such as with AWS ECS Fargate, the identifier can be taken from S3. To enable tha
 export IMMUDB_S3_EXTERNAL_IDENTIFIER=true
 ```
 
+You can also use the role-based credentials for more flexible and secure configuration.
+This allows the service to be used with instance role configuration without a user entity.
+The following example shows how to run immudb with the S3 storage enabled using AWS Roles:
+
+```bash
+export IMMUDB_S3_STORAGE=true
+export IMMUDB_S3_ROLE_ENABLED=true
+export IMMUDB_S3_BUCKET_NAME=<BUCKET NAME>
+export IMMUDB_S3_LOCATION=<AWS S3 REGION>
+export IMMUDB_S3_PATH_PREFIX=testing-001
+export IMMUDB_S3_ENDPOINT="https://${IMMUDB_S3_BUCKET_NAME}.s3.${IMMUDB_S3_LOCATION}.amazonaws.com"
+
+./immudb
+```
+
+Optionally, you can specify the exact role immudb should be using with:
+
+```bash
+export IMMUDB_S3_ROLE=<AWS S3 ACCESS ROLE NAME>
+```
+
+Remember, the `IMMUDB_S3_ROLE_ENABLED` parameter still should be on.
+
 You can also easily use immudb with compatible s3 alternatives
 such as the [minio](https://github.com/minio/minio) server:
 
 
@@ -72,13 +72,16 @@ func (cl *Commandline) setupFlags(cmd *cobra.Command, options *server.Options) {
 	cmd.Flags().Int("pgsql-server-port", 5432, "pgsql server port")
 	cmd.Flags().Bool("pprof", false, "add pprof profiling endpoint on the metrics server")
 	cmd.Flags().Bool("s3-storage", false, "enable or disable s3 storage")
+	cmd.Flags().Bool("s3-role-enabled", false, "enable role-based authentication for s3 storage")
 	cmd.Flags().String("s3-endpoint", "", "s3 endpoint")
+	cmd.Flags().String("s3-role", "", "role name for role-based authentication attempt for s3 storage")
 	cmd.Flags().String("s3-access-key-id", "", "s3 access key id")
 	cmd.Flags().String("s3-secret-key", "", "s3 secret access key")
 	cmd.Flags().String("s3-bucket-name", "", "s3 bucket name")
 	cmd.Flags().String("s3-location", "", "s3 location (region)")
 	cmd.Flags().String("s3-path-prefix", "", "s3 path prefix (multiple immudb instances can share the same bucket if they have different prefixes)")
 	cmd.Flags().Bool("s3-external-identifier", false, "use the remote identifier if there is no local identifier")
+	cmd.Flags().String("s3-instance-metadata-url", "http://169.254.169.254", "s3 instance metadata url")
 	cmd.Flags().Int("max-sessions", 100, "maximum number of simultaneously opened sessions")
 	cmd.Flags().Duration("max-session-inactivity-time", 3*time.Minute, "max session inactivity time is a duration after which an active session is declared inactive by the server. A session is kept active if server is still receiving requests from client (keep-alive or other methods)")
 	cmd.Flags().Duration("max-session-age-time", 0, "the current default value is infinity. max session age time is a duration after which session will be forcibly closed")
@@ -135,12 +138,15 @@ func setupDefaults(options *server.Options) {
 	viper.SetDefault("pprof", false)
 	viper.SetDefault("s3-storage", false)
 	viper.SetDefault("s3-endpoint", "")
+	viper.SetDefault("s3-role-enabled", false)
+	viper.SetDefault("s3-role", "")
 	viper.SetDefault("s3-access-key-id", "")
 	viper.SetDefault("s3-secret-key", "")
 	viper.SetDefault("s3-bucket-name", "")
 	viper.SetDefault("s3-location", "")
 	viper.SetDefault("s3-path-prefix", "")
 	viper.SetDefault("s3-external-identifier", false)
+	viper.SetDefault("s3-instance-metadata-url", "http://169.254.169.254")
 	viper.SetDefault("max-sessions", 100)
 	viper.SetDefault("max-session-inactivity-time", 3*time.Minute)
 	viper.SetDefault("max-session-age-time", 0)
 
@@ -86,23 +86,29 @@ func parseOptions() (options *server.Options, err error) {
 	swaggerUIEnabled := viper.GetBool("swaggerui")
 
 	s3Storage := viper.GetBool("s3-storage")
+	s3RoleEnabled := viper.GetBool("s3-role-enabled")
+	s3Role := viper.GetString("s3-role")
 	s3Endpoint := viper.GetString("s3-endpoint")
 	s3AccessKeyID := viper.GetString("s3-access-key-id")
 	s3SecretKey := viper.GetString("s3-secret-key")
 	s3BucketName := viper.GetString("s3-bucket-name")
 	s3Location := viper.GetString("s3-location")
 	s3PathPrefix := viper.GetString("s3-path-prefix")
 	s3ExternalIdentifier := viper.GetBool("s3-external-identifier")
+	s3MetadataURL := viper.GetString("s3-instance-metadata-url")
 
 	remoteStorageOptions := server.DefaultRemoteStorageOptions().
 		WithS3Storage(s3Storage).
+		WithS3RoleEnabled(s3RoleEnabled).
+		WithS3Role(s3Role).
 		WithS3Endpoint(s3Endpoint).
 		WithS3AccessKeyID(s3AccessKeyID).
 		WithS3SecretKey(s3SecretKey).
 		WithS3BucketName(s3BucketName).
 		WithS3Location(s3Location).
 		WithS3PathPrefix(s3PathPrefix).
-		WithS3ExternalIdentifier(s3ExternalIdentifier)
+		WithS3ExternalIdentifier(s3ExternalIdentifier).
+		WithS3InstanceMetadataURL(s3MetadataURL)
 
 	sessionOptions := sessions.DefaultOptions().
 		WithMaxSessions(viper.GetInt("max-sessions")).
 
@@ -23,6 +23,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
+	"encoding/json"
 	"encoding/xml"
 	"errors"
 	"fmt"
@@ -32,6 +33,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"regexp"
 	"sort"
 	"strconv"
 	"strings"
@@ -41,17 +43,24 @@ import (
 )
 
 type Storage struct {
-	endpoint    string
-	accessKeyID string
-	secretKey   string
-	bucket      string
-	prefix      string
-	location    string
-	httpClient  *http.Client
+	endpoint      string
+	S3RoleEnabled bool
+	s3Role        string
+	accessKeyID   string
+	secretKey     string
+	bucket        string
+	prefix        string
+	location      string
+	httpClient    *http.Client
+
+	awsInstanceMetadataURL string
+	awsCredsRefreshPeriod  time.Duration
 }
 
 var (
 	ErrInvalidArguments               = errors.New("invalid arguments")
+	ErrKeyCredentialsProvided         = errors.New("remote storage configuration already includes access key and/or secret key")
+	ErrCredentialsCannotBeFound       = errors.New("cannot find credentials based on instance role remote storage")
 	ErrInvalidArgumentsOffsSize       = fmt.Errorf("%w: negative offset or zero size", ErrInvalidArguments)
 	ErrInvalidArgumentsNameStartSlash = fmt.Errorf("%w: name can not start with /", ErrInvalidArguments)
 	ErrInvalidArgumentsNameEndSlash   = fmt.Errorf("%w: name can not end with /", ErrInvalidArguments)
@@ -73,17 +82,22 @@ var (
 	ErrInvalidResponseSubPathUnescape      = fmt.Errorf("%w: error un-escaping object name", ErrInvalidResponse)
 
 	ErrTooManyRedirects = errors.New("too many redirects")
+
+	arnRoleRegex = regexp.MustCompile(`arn:.*\/(.*)`)
 )
 
 const maxRedirects = 5
 
 func Open(
 	endpoint string,
+	S3RoleEnabled bool,
+	s3Role string,
 	accessKeyID string,
 	secretKey string,
 	bucket string,
 	location string,
 	prefix string,
+	awsInstanceMetadataURL string,
 ) (remotestorage.Storage, error) {
 
 	// Endpoint must always end with '/'
@@ -106,19 +120,30 @@ func Open(
 		prefix = prefix + "/"
 	}
 
-	return &Storage{
-		endpoint:    endpoint,
-		accessKeyID: accessKeyID,
-		secretKey:   secretKey,
-		bucket:      bucket,
-		location:    location,
-		prefix:      prefix,
+	s3storage := &Storage{
+		endpoint:      endpoint,
+		S3RoleEnabled: S3RoleEnabled,
+		s3Role:        s3Role,
+		accessKeyID:   accessKeyID,
+		secretKey:     secretKey,
+		bucket:        bucket,
+		location:      location,
+		prefix:        prefix,
 		httpClient: &http.Client{
 			CheckRedirect: func(req *http.Request, via []*http.Request) error {
 				return http.ErrUseLastResponse
 			},
 		},
-	}, nil
+		awsInstanceMetadataURL: awsInstanceMetadataURL,
+		awsCredsRefreshPeriod:  time.Minute,
+	}
+
+	err := s3storage.getRoleCredentials()
+	if err != nil {
+		return nil, err
+	}
+
+	return s3storage, nil
 }
 
 func (s *Storage) Kind() string {
@@ -691,4 +716,124 @@ func (s *Storage) scanObjectNames(ctx context.Context, prefix string, limit int)
 	return entries, subPaths, nil
 }
 
+func (s *Storage) getRoleCredentials() error {
+	if !s.S3RoleEnabled {
+		return nil
+	}
+
+	var err error
+	s.accessKeyID, s.secretKey, err = s.requestCredentials()
+	if err != nil {
+		return err
+	}
+
+	s3CredentialsRefreshTicker := time.NewTicker(s.awsCredsRefreshPeriod)
+	go func() {
+		for {
+			select {
+			case _ = <-s3CredentialsRefreshTicker.C:
+				accessKeyID, secretKey, err := s.requestCredentials()
+				if err != nil {
+					log.Printf("S3 role credentials lookup failed with an error: %v", err)
+					continue
+				}
+				s.accessKeyID, s.secretKey = accessKeyID, secretKey
+			}
+		}
+	}()
+
+	return nil
+}
+
+func (s *Storage) requestCredentials() (string, string, error) {
+	tokenReq, err := http.NewRequest("PUT", fmt.Sprintf("%s%s",
+		s.awsInstanceMetadataURL,
+		"/latest/api/token",
+	), nil)
+	if err != nil {
+		return "", "", errors.New("cannot form metadata token request")
+	}
+
+	tokenReq.Header.Set("X-aws-ec2-metadata-token-ttl-seconds", "21600")
+
+	tokenResp, err := http.DefaultClient.Do(tokenReq)
+	if err != nil {
+		return "", "", errors.New("cannot get metadata token")
+	}
+	defer tokenResp.Body.Close()
+
+	token, err := ioutil.ReadAll(tokenResp.Body)
+	if err != nil {
+		return "", "", errors.New("cannot read metadata token")
+	}
+
+	role := s.s3Role
+	if s.s3Role == "" {
+		roleReq, err := http.NewRequest("GET", fmt.Sprintf("%s%s",
+			s.awsInstanceMetadataURL,
+			"/latest/meta-data/iam/info",
+		), nil)
+		if err != nil {
+			return "", "", errors.New("cannot form role name request")
+		}
+
+		roleReq.Header.Set("X-aws-ec2-metadata-token", string(token))
+		roleResp, err := http.DefaultClient.Do(roleReq)
+		if err != nil {
+			return "", "", errors.New("cannot get role name")
+		}
+		defer roleResp.Body.Close()
+
+		creds, err := ioutil.ReadAll(roleResp.Body)
+		if err != nil {
+			return "", "", errors.New("cannot read role name")
+		}
+
+		var metadata struct {
+			InstanceProfileArn string `json:"InstanceProfileArn"`
+		}
+		if err := json.Unmarshal(creds, &metadata); err != nil {
+			return "", "", errors.New("cannot parse role name")
+		}
+
+		match := arnRoleRegex.FindStringSubmatch(metadata.InstanceProfileArn)
+		if len(match) < 2 {
+			return "", "", ErrCredentialsCannotBeFound
+		}
+
+		role = match[1]
+	}
+
+	credsReq, err := http.NewRequest("GET", fmt.Sprintf("%s%s/%s",
+		s.awsInstanceMetadataURL,
+		"/latest/meta-data/iam/security-credentials",
+		role,
+	), nil)
+	if err != nil {
+		return "", "", errors.New("cannot form role credentials request")
+	}
+
+	credsReq.Header.Set("X-aws-ec2-metadata-token", string(token))
+	credsResp, err := http.DefaultClient.Do(credsReq)
+	if err != nil {
+		return "", "", errors.New("cannot get role credentials")
+	}
+	defer credsResp.Body.Close()
+
+	creds, err := ioutil.ReadAll(credsReq.Body)
+	if err != nil {
+		return "", "", errors.New("cannot read role credentials")
+	}
+
+	var credentials struct {
+		AccessKeyID     string `json:"AccessKeyId"`
+		SecretAccessKey string `json:"SecretAccessKey"`
+	}
+	if err := json.Unmarshal(creds, &credentials); err != nil {
+		return "", "", errors.New("cannot parse role credentials")
+	}
+
+	return credentials.AccessKeyID, credentials.SecretAccessKey, nil
+}
+
 var _ remotestorage.Storage = (*Storage)(nil)