From 87b9237758a4d78db1f51dab81f0676bda29aa41 Mon Sep 17 00:00:00 2001 From: Larry Knox Date: Wed, 4 Dec 2024 10:06:31 -0600 Subject: [PATCH] Add function H5FD__s3comms_load_aws_creds_from_file() to get AWS credentials from environment variables. These will override any corresponding variables loaded from files. --- src/H5FDs3comms.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/src/H5FDs3comms.c b/src/H5FDs3comms.c index c5de645ddb8..4c8a1f10038 100644 --- a/src/H5FDs3comms.c +++ b/src/H5FDs3comms.c @@ -1840,6 +1840,68 @@ H5FD__s3comms_load_aws_creds_from_file(FILE *file, const char *profile_name, cha FUNC_LEAVE_NOAPI(ret_value) } /* end H5FD__s3comms_load_aws_creds_from_file() */ +/*----------------------------------------------------------------------------- + * + * Function: H5FD__s3comms_load_aws_creds_from_file() + * + * Purpose: + * + * Get aws credentials from environment variables AWS_ACCESS_KEY_ID, + * AWS_SECRET_ACCESS_KEY, AWS_REGION and AWS_SESSION_TOKEN. + * Values from these environment variables will overrride any values + * for corresponding variables loaded from credentials and configuration + * files. + * + * Values for AWS_PROFILE and AWS_MAX_ATTEMPTS are not currently obtained. + * + * Return: SUCCEED/FAIL + * + */ +static herr_t +H5FD__s3comms_load_aws_creds_from_env(char *key_id, char *secret_access_key, char *aws_region) +{ + herr_t ret_value = SUCCEED; + char *key_id_env=NULL; + char *secret_access_key_env=NULL; + char *aws_region_env=NULL; + + FUNC_ENTER_PACKAGE + + /* AWS_ACCESS_KEY_ID values are typically 16 or 20 characters, with up to 128 allowed. + * Difference in size between the one from the environment and one in cred files + * requires some special handling. + */ + key_id_env=getenv("AWS_ACCESS_KEY_ID"); + if (key_id_env != NULL && key_id_env[0] != '\0') { + if (strlen(key_id) == 0 || strncmp(key_id, key_id_env, strlen(key_id) != 0)) + strncpy(key_id, key_id_env, strlen(key_id_env)); + key_id[strlen(key_id_env)] = '\0'; + } + + /* AWS_SECRET_ACCESS_KEY values are 40 characters */ + secret_access_key_env=getenv("AWS_SECRET_ACCESS_KEY"); + if (secret_access_key_env != NULL && secret_access_key_env[0] != '\0') { + if (strlen(secret_access_key) == 0 || + strncmp(secret_access_key, secret_access_key_env, + strlen(secret_access_key)) != 0) { + strncpy(secret_access_key, secret_access_key_env, strlen(secret_access_key_env)); + secret_access_key[strlen(secret_access_key_env)] = '\0'; + } + } + + /* AWS_REGION values are 9 - ~12 characters */ + aws_region_env=getenv("AWS_REGION"); + if (aws_region_env != NULL && aws_region_env[0] != '\0') { + if (strlen(aws_region) == 0 || + strncmp(aws_region, aws_region_env, strlen(aws_region)) != 0) { + strncpy(aws_region, aws_region_env, strlen(aws_region_env)); + aws_region[strlen(aws_region_env)] = '\0'; + } + } + + FUNC_LEAVE_NOAPI(ret_value) +} + /*---------------------------------------------------------------------------- * * Function: H5FD_s3comms_load_aws_profile() @@ -1917,6 +1979,11 @@ H5FD_s3comms_load_aws_profile(const char *profile_name, char *key_id_out, char * credfile = NULL; } /* end if credential file opened */ + /* Check for credentials in environment variables. Environment variables will override + * credentials from credentials/config files and just load them if there were none in + * the files. */ + ret_value = H5FD__s3comms_load_aws_creds_from_env(key_id_out, secret_access_key_out, aws_region_out); + /* fail if not all three settings were loaded */ if (*key_id_out == 0 || *secret_access_key_out == 0 || *aws_region_out == 0) ret_value = FAIL;