feat(fs-aws): add credential config for public and requester pays (#1409

) #### Motivation Requester pays and public buckets are pretty common ways of accessing s3 locations, access needs to be configured so that a bucket can be accessed with either: - "assume this role then use requester pays" - "use the current role but as requester pays" or as a public bucket with no credentials. #### Modification allow credentials to be defined as requester pays or public
blacha · Mar 4, 2024 · 0386b61 · 0386b61
1 parent 4fe4819
commit 0386b61
Show file tree

Hide file tree

Showing 4 changed files with 115 additions and 16 deletions.
diff --git a/packages/fs-aws/src/__tests__/credentials.test.ts b/packages/fs-aws/src/__tests__/credentials.test.ts
@@ -0,0 +1,37 @@
+import assert from 'node:assert';
+import { describe, it } from 'node:test';
+
+import { AwsS3CredentialProvider, getPublicS3 } from '../credentials.js';
+import { AwsCredentialConfig } from '../types.js';
+
+describe('AwsS3CredentialProvider', () => {
+  const baseConfig: AwsCredentialConfig = { type: 's3', prefix: 's3://' };
+  it('should set requester pays', () => {
+    const creds = new AwsS3CredentialProvider();
+
+    const fs = creds.createFileSystem({ ...baseConfig, access: 'public' });
+    assert.ok(fs.s3 === getPublicS3());
+    assert.ok(fs.requestPayer === 'public');
+  });
+
+  it('should support requester pays', () => {
+    const creds = new AwsS3CredentialProvider();
+
+    const fs = creds.createFileSystem({ ...baseConfig, roleArn: 'arn:...', access: 'requesterPays' });
+    assert.ok(fs.s3 !== getPublicS3());
+    assert.ok(fs.requestPayer === 'requester');
+  });
+
+  it('should support requester pays from the current role', () => {
+    const creds = new AwsS3CredentialProvider();
+
+    const fs = creds.createFileSystem({ ...baseConfig, roleArn: undefined, access: 'requesterPays' });
+    assert.ok(fs.s3 !== getPublicS3());
+    assert.ok(fs.requestPayer === 'requester');
+  });
+
+  it('should require a roleArn', () => {
+    const creds = new AwsS3CredentialProvider();
+    assert.throws(() => creds.createFileSystem({ ...baseConfig }));
+  });
+});
diff --git a/packages/fs-aws/src/credentials.ts b/packages/fs-aws/src/credentials.ts
@@ -1,8 +1,9 @@
 import { S3Client } from '@aws-sdk/client-s3';
 import { fromTemporaryCredentials } from '@aws-sdk/credential-providers';
 import { FileSystem, FileSystemProvider } from '@chunkd/fs';
-import { AwsCredentialConfig, AwsCredentialProvider } from './types.js';
+
 import { FsAwsS3 } from './fs.s3.js';
+import { AwsCredentialConfig, AwsCredentialProvider } from './types.js';
 
 export function isPromise<T>(t: AwsCredentialProvider | Promise<T>): t is Promise<T> {
   return 'then' in t && typeof t['then'] === 'function';
@@ -48,6 +49,14 @@ export class FsConfigFetcher {
   }
 }
 
+let PublicClient: S3Client | undefined;
+/** Creating a public s3 client is somewhat hard, where the signing method needs to be overriden */
+export function getPublicS3(): S3Client {
+  if (PublicClient) return PublicClient;
+  PublicClient = new S3Client({ signer: { sign: async (req) => req } });
+  return PublicClient;
+}
+
 export type AwsCredentialProviderLoader = () => Promise<AwsCredentialProvider>;
 export class AwsS3CredentialProvider implements FileSystemProvider<FsAwsS3> {
   /**
@@ -63,6 +72,22 @@ export class AwsS3CredentialProvider implements FileSystemProvider<FsAwsS3> {
 
   /** Given a config create a file system */
   createFileSystem(cs: AwsCredentialConfig): FsAwsS3 {
+    // Public access
+    if (cs.access === 'public') {
+      const fs = new FsAwsS3(getPublicS3());
+      fs.requestPayer = 'public';
+      return fs;
+    }
+
+    // Requester pays off the current credentials
+    if (cs.access === 'requesterPays' && cs.roleArn == null) {
+      const fs = new FsAwsS3(new S3Client({}));
+      if (cs.access === 'requesterPays') fs.requestPayer = 'requester';
+      return fs;
+    }
+
+    // All other credentials need a role assumed
+    if (cs.roleArn == null) throw new Error('No roleArn is defined for prefix: ' + cs.prefix);
     const client = new S3Client({
       credentials: fromTemporaryCredentials({
         params: {
@@ -74,7 +99,9 @@ export class AwsS3CredentialProvider implements FileSystemProvider<FsAwsS3> {
       }),
     });
 
-    return new FsAwsS3(client);
+    const fs = new FsAwsS3(client);
+    if (cs.access === 'requesterPays') fs.requestPayer = 'requester';
+    return fs;
   }
   /** Version for session name generally v2 or v3 for aws-sdk versions */
   version = 'v3';

diff --git a/packages/fs-aws/src/fs.s3.ts b/packages/fs-aws/src/fs.s3.ts
@@ -1,3 +1,6 @@
+import type { Readable } from 'node:stream';
+import { PassThrough } from 'node:stream';
+
 import {
   DeleteObjectCommand,
   GetObjectCommand,
@@ -7,10 +10,9 @@ import {
   S3Client,
 } from '@aws-sdk/client-s3';
 import { Upload } from '@aws-sdk/lib-storage';
-import { FileInfo, FileSystem, FileSystemAction, FsError, ListOptions, WriteOptions, isRecord } from '@chunkd/fs';
+import { FileInfo, FileSystem, FileSystemAction, FsError, isRecord, ListOptions, WriteOptions } from '@chunkd/fs';
 import { SourceAwsS3 } from '@chunkd/source-aws';
-import type { Readable } from 'node:stream';
-import { PassThrough } from 'node:stream';
+
 import { AwsS3CredentialProvider } from './credentials.js';
 
 function isReadable(r: any): r is Readable {
@@ -49,7 +51,7 @@ export class FsAwsS3 implements FileSystem {
   writeTests = new Map<string, Promise<void | FsAwsS3>>();
 
   /** Request Payment option */
-  requestPayer?: 'requester';
+  requestPayer?: 'requester' | 'public';
 
   /**
    * When testing write permissions add a suffix to the file name, this file will be deleted up after writing completes

diff --git a/packages/fs-aws/src/types.ts b/packages/fs-aws/src/types.ts
@@ -1,20 +1,53 @@
 export interface AwsCredentialConfig {
-  /** Prefix type generally s3 */
+  /**
+   * Prefix type generally s3
+   */
   type: 's3';
-  /** Prefix should always start with `s3://${bucket}` */
+
+  /**
+   * Location that these credentials are valid for,
+   *
+   * prefixes should always start with `s3://${bucket}/`
+   *
+   * @example
+   * ```typescript
+   * "s3://example/" // Matches all files in "s3://example/**"
+   * "s3://example"  // Matches all files in all buckets starting with "s3://example*"
+   * ```
+   */
   prefix: string;
-  /** Role to use to access */
-  roleArn: string;
-  /** Aws account this bucket belongs to */
+
+  /**
+   * Role to use to access
+   *
+   * roleArn is not required if access is "public"
+   */
+  roleArn?: string;
+
+  /**
+   * Aws account this bucket belongs to
+   */
   accountId?: string;
-  /** Bucket name */
-  bucket?: string;
-  /** ExternalId if required */
+
+  /**
+   * ExternalId if required
+   */
   externalId?: string;
-  /** Max role session duration */
+
+  /**
+   * Max role session duration
+   */
   roleSessionDuration?: number;
-  /** Can these credentials be used for "read" or "read-write" access */
+
+  /**
+   * Can these credentials be used for "read" or "read-write" access
+   */
   flags?: 'r' | 'rw';
+
+  /**
+   * Can this prefix be accessed without credentials or as requesterPays
+   */
+  access?: 'public' | 'requesterPays';
 }
 
 export interface AwsCredentialProvider {