Backport cortexproject/cortex#4897 to fix IDMSv1 (#2760)

* Backport cortexproject/cortex#4897 to fix IDMSv1 Signed-off-by: Jakub Coufal <[email protected]> * Update CHANGELOG.md Signed-off-by: Jakub Coufal <[email protected]> --------- Signed-off-by: Jakub Coufal <[email protected]>
grafana · Aug 4, 2023 · ba621f6 · ba621f6
1 parent 72118ab
commit ba621f6
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 * [ENHANCEMENT] Assert ingestion rate limits as early as possible [#2640](https://github.com/grafana/tempo/pull/2703) (@mghildiy)
 * [ENHANCEMENT] Add several metrics-generator fields to user-configurable overrides [#2711](https://github.com/grafana/tempo/pull/2711) (@kvrhdn)
 * [BUGFIX] Fix panic in metrics summary api [#2738](https://github.com/grafana/tempo/pull/2738) (@mdisibio)
+* [BUGFIX] Fix node role auth IDMSv1 [#2760](https://github.com/grafana/tempo/pull/2760) (@coufalja)
 
 ## v2.2.0 / 2023-07-31
 

diff --git a/tempodb/backend/s3/awssdkauth.go b/tempodb/backend/s3/awssdkauth.go
@@ -0,0 +1,40 @@
+package s3
+
+import (
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/defaults"
+	mcreds "github.com/minio/minio-go/v7/pkg/credentials"
+	"github.com/pkg/errors"
+)
+
+func NewAWSSDKAuth(region string) *AWSSDKAuth {
+	dc := defaults.Config().WithRegion(region)
+	creds := defaults.CredChain(dc, defaults.Handlers())
+	return &AWSSDKAuth{
+		creds: creds,
+	}
+}
+
+// AWSSDKAuth retrieves credentials from the aws-sdk-go.
+type AWSSDKAuth struct {
+	creds *credentials.Credentials
+}
+
+// Retrieve retrieves the keys from the environment.
+func (a *AWSSDKAuth) Retrieve() (mcreds.Value, error) {
+	val, err := a.creds.Get()
+	if err != nil {
+		return mcreds.Value{}, errors.Wrap(err, "retrieve AWS SDK credentials")
+	}
+	return mcreds.Value{
+		AccessKeyID:     val.AccessKeyID,
+		SecretAccessKey: val.SecretAccessKey,
+		SessionToken:    val.SessionToken,
+		SignerType:      mcreds.SignatureV4,
+	}, nil
+}
+
+// IsExpired returns if the credentials have been retrieved.
+func (a *AWSSDKAuth) IsExpired() bool {
+	return a.creds.IsExpired()
+}
diff --git a/tempodb/backend/s3/s3.go b/tempodb/backend/s3/s3.go
@@ -420,6 +420,7 @@ func createCore(cfg *Config, hedge bool) (*minio.Core, error) {
 	}
 
 	creds := credentials.NewChainCredentials([]credentials.Provider{
+		wrapCredentialsProvider(NewAWSSDKAuth(cfg.Region)),
 		wrapCredentialsProvider(&credentials.EnvAWS{}),
 		wrapCredentialsProvider(&credentials.Static{
 			Value: credentials.Value{