[12.0] use IAM role for service account for S3 storage (#356)

By dropping the requirement to have `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` envvars set, we can let the more secure IAM role for service account take over the authentication. Co-authored-by: Marc Fournier <marc.fournier@qoqa.com>
2026-06-23 18:04:34 +00:00 · 2022-03-31 16:43:22 +02:00
parent 6f8ae872ff
commit 1f5970f05e
2 changed files with 15 additions and 5 deletions
@@ -54,14 +54,19 @@ class IrAttachment(models.Model):
        region_name = os.environ.get('AWS_REGION')
        access_key = os.environ.get('AWS_ACCESS_KEY_ID')
        secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY')
+        aws_use_irsa = os.environ.get('AWS_USE_IRSA')
        bucket_name = bucket_name or os.environ.get('AWS_BUCKETNAME')
        # replaces {db} by the database name to handle multi-tenancy
        bucket_name = bucket_name.format(db=self.env.cr.dbname)
        params = {
-            'aws_access_key_id': access_key,
-            'aws_secret_access_key': secret_key,
            'bucket_name': bucket_name,
        }
+        if access_key:
+            params['aws_access_key_id'] = access_key
+        if secret_key:
+            params['aws_secret_access_key'] = secret_key
+        if aws_use_irsa:
+            params['aws_use_irsa'] = aws_use_irsa
        if host:
            params['endpoint_url'] = host
        if region_name:
@@ -79,6 +84,7 @@ class IrAttachment(models.Model):
        * ``AWS_ACCESS_KEY_ID``
        * ``AWS_SECRET_ACCESS_KEY``
        * ``AWS_BUCKETNAME``
+        * ``AWS_USE_IRSA``

        If a name is provided, we'll read this bucket, otherwise, the bucket
        from the environment variable ``AWS_BUCKETNAME`` will be read.
@@ -89,14 +95,17 @@ class IrAttachment(models.Model):
        #  keyword argument 'bucket_name'
        bucket_name = params.pop("bucket_name")
        if not (
-            params["aws_access_key_id"] and
-            params["aws_secret_access_key"] and
-            bucket_name
+            bucket_name and
+            (params["aws_access_key_id"] and
+             params["aws_secret_access_key"] or
+             params["aws_use_irsa"])
        ):
            msg = _('If you want to read from the %s S3 bucket, the following '
                    'environment variables must be set:\n'
                    '* AWS_ACCESS_KEY_ID\n'
                    '* AWS_SECRET_ACCESS_KEY\n'
+                    'or use irsa for authentification\n'
+                    '* AWS_USE_IRSA\n'
                    'If you want to write in the %s S3 bucket, this variable '
                    'must be set as well:\n'
                    '* AWS_BUCKETNAME\n'
@@ -10,3 +10,4 @@ keystoneauth1==3.14.0
 # error with 5.x (ConstructorError: could not determine a constructor for the tag '!record')
 PyYAML==4.2b4
 prometheus_client==0.11.0
+portalocker==1.7.1