Do not use a chain for S3 tiering to return better error messages (#18030)

When using a chain provider all providers do not return a valid access and secret key, an anonymous request is sent, which makes it hard for users to figure out what is going on In the case of S3 tiering, when AWS IAM temporary account generation returns an error, an anonymous login will be used because of the chain provider. Avoid this and use the AWS IAM provider directly to get a good error message.
2023-09-14 15:28:20 -07:00 · 2023-09-14 15:28:20 -07:00 · b0e1776d6d
parent 7a7068ee47
commit b0e1776d6d
3 changed files with 7 additions and 16 deletions
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@ -29,7 +29,6 @@ import (
 	"fmt"
 	"math/rand"
 	"net"
-	"net/http"
 	"net/url"
 	"os"
 	"path"
@ -54,7 +53,6 @@ import (
 	"github.com/minio/kes-go"
 	"github.com/minio/madmin-go/v3"
 	"github.com/minio/minio-go/v7"
-	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/minio/internal/auth"
 	"github.com/minio/minio/internal/color"
@ -71,10 +69,7 @@ import (
 // serverDebugLog will enable debug printing
 var serverDebugLog = env.Get("_MINIO_SERVER_DEBUG", config.EnableOff) == config.EnableOn

-var (
-	shardDiskTimeDelta     time.Duration
-	defaultAWSCredProvider []credentials.Provider
-)
+var shardDiskTimeDelta time.Duration

 func init() {
 	if runtime.GOOS == "windows" {
@ -112,14 +107,6 @@ func init() {
 	gob.Register(madmin.XFSErrorConfigs{})
 	gob.Register(map[string]interface{}{})

-	defaultAWSCredProvider = []credentials.Provider{
-		&credentials.IAM{
-			Client: &http.Client{
-				Transport: NewHTTPTransport(),
-			},
-		},
-	}
-
 	var err error
 	shardDiskTimeDelta, err = time.ParseDuration(env.Get("_MINIO_SHARD_DISKTIME_DELTA", "1m"))
 	if err != nil {
--- a/cmd/warm-backend-s3.go
+++ b/cmd/warm-backend-s3.go
@ -115,7 +115,11 @@ func newWarmBackendS3(conf madmin.TierS3, tier string) (*warmBackendS3, error) {
 	}
 	var creds *credentials.Credentials
 	if conf.AWSRole {
-		creds = credentials.NewChainCredentials(defaultAWSCredProvider)
+		creds = credentials.New(&credentials.IAM{
+			Client: &http.Client{
+				Transport: NewHTTPTransport(),
+			},
+		})
 	} else {
 		creds = credentials.NewStaticV4(conf.AccessKey, conf.SecretKey, "")
 	}
--- a/cmd/warm-backend.go
+++ b/cmd/warm-backend.go
@ -117,7 +117,7 @@ type tierPermErr struct {
 }

 func (te tierPermErr) Error() string {
-	return fmt.Sprintf("failed to perform %s %v", te.Op, te.Err)
+	return fmt.Sprintf("failed to perform %s: %v", te.Op, te.Err)
 }

 func errIsTierPermError(err error) bool {