From b0e1776d6d42b75dc658dd1719b6b3f37ba6ded9 Mon Sep 17 00:00:00 2001
From: Anis Eleuch <vadmeste@users.noreply.github.com>
Date: Thu, 14 Sep 2023 15:28:20 -0700
Subject: [PATCH] Do not use a chain for S3 tiering to return better error
 messages (#18030)

When using a chain provider all providers do not return a valid
access and secret key, an anonymous request is sent, which makes it hard
for users to figure out what is going on

In the case of S3 tiering, when AWS IAM temporary account generation returns
an error, an anonymous login will be used because of the chain provider.
Avoid this and use the AWS IAM provider directly to get a good error
message.
---
 cmd/common-main.go     | 15 +--------------
 cmd/warm-backend-s3.go |  6 +++++-
 cmd/warm-backend.go    |  2 +-
 3 files changed, 7 insertions(+), 16 deletions(-)

diff --git a/cmd/common-main.go b/cmd/common-main.go
index a56c5fbf9..5d584ad40 100644
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@@ -29,7 +29,6 @@ import (
 	"fmt"
 	"math/rand"
 	"net"
-	"net/http"
 	"net/url"
 	"os"
 	"path"
@@ -54,7 +53,6 @@ import (
 	"github.com/minio/kes-go"
 	"github.com/minio/madmin-go/v3"
 	"github.com/minio/minio-go/v7"
-	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/minio/internal/auth"
 	"github.com/minio/minio/internal/color"
@@ -71,10 +69,7 @@ import (
 // serverDebugLog will enable debug printing
 var serverDebugLog = env.Get("_MINIO_SERVER_DEBUG", config.EnableOff) == config.EnableOn
 
-var (
-	shardDiskTimeDelta     time.Duration
-	defaultAWSCredProvider []credentials.Provider
-)
+var shardDiskTimeDelta time.Duration
 
 func init() {
 	if runtime.GOOS == "windows" {
@@ -112,14 +107,6 @@ func init() {
 	gob.Register(madmin.XFSErrorConfigs{})
 	gob.Register(map[string]interface{}{})
 
-	defaultAWSCredProvider = []credentials.Provider{
-		&credentials.IAM{
-			Client: &http.Client{
-				Transport: NewHTTPTransport(),
-			},
-		},
-	}
-
 	var err error
 	shardDiskTimeDelta, err = time.ParseDuration(env.Get("_MINIO_SHARD_DISKTIME_DELTA", "1m"))
 	if err != nil {
diff --git a/cmd/warm-backend-s3.go b/cmd/warm-backend-s3.go
index 3f51d7473..4a53f402a 100644
--- a/cmd/warm-backend-s3.go
+++ b/cmd/warm-backend-s3.go
@@ -115,7 +115,11 @@ func newWarmBackendS3(conf madmin.TierS3, tier string) (*warmBackendS3, error) {
 	}
 	var creds *credentials.Credentials
 	if conf.AWSRole {
-		creds = credentials.NewChainCredentials(defaultAWSCredProvider)
+		creds = credentials.New(&credentials.IAM{
+			Client: &http.Client{
+				Transport: NewHTTPTransport(),
+			},
+		})
 	} else {
 		creds = credentials.NewStaticV4(conf.AccessKey, conf.SecretKey, "")
 	}
diff --git a/cmd/warm-backend.go b/cmd/warm-backend.go
index 8169ee242..d04c6067f 100644
--- a/cmd/warm-backend.go
+++ b/cmd/warm-backend.go
@@ -117,7 +117,7 @@ type tierPermErr struct {
 }
 
 func (te tierPermErr) Error() string {
-	return fmt.Sprintf("failed to perform %s %v", te.Op, te.Err)
+	return fmt.Sprintf("failed to perform %s: %v", te.Op, te.Err)
 }
 
 func errIsTierPermError(err error) bool {