s3.go: Added options to use paths with S3 and the ability to disable SSL (#3730)

2026-05-05 04:16:31 +02:00 · 2018-01-03 17:11:00 +00:00 · 2018-01-03 17:11:00 +00:00 · f57329a37a
commit f57329a37a
parent 326e1ab24c
2 changed files with 28 additions and 3 deletions
--- a/physical/s3/s3.go
+++ b/physical/s3/s3.go
@ -22,6 +22,7 @@ import (
 	cleanhttp "github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/vault/helper/awsutil"
 	"github.com/hashicorp/vault/helper/consts"
+	"github.com/hashicorp/vault/helper/parseutil"
 	"github.com/hashicorp/vault/physical"
 )

@ -72,6 +73,22 @@ func NewS3Backend(conf map[string]string, logger log.Logger) (physical.Backend,
 			}
 		}
 	}
+	s3ForcePathStyleStr, ok := conf["s3_force_path_style"]
+	if !ok {
+		s3ForcePathStyleStr = "false"
+	}
+	s3ForcePathStyleBool, err := parseutil.ParseBool(s3ForcePathStyleStr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid boolean set for s3_force_path_style: '%s'", s3ForcePathStyleStr)
+	}
+	disableSSLStr, ok := conf["disable_ssl"]
+	if !ok {
+		disableSSLStr = "false"
+	}
+	disableSSLBool, err := parseutil.ParseBool(disableSSLStr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid boolean set for disable_ssl: '%s'", disableSSLStr)
+	}

 	credsConfig := &awsutil.CredentialsConfig{
 		AccessKey:    accessKey,
@ -91,8 +108,10 @@ func NewS3Backend(conf map[string]string, logger log.Logger) (physical.Backend,
 		HTTPClient: &http.Client{
 			Transport: pooledTransport,
 		},
-		Endpoint: aws.String(endpoint),
-		Region:   aws.String(region),
+		Endpoint:         aws.String(endpoint),
+		Region:           aws.String(region),
+		S3ForcePathStyle: aws.Bool(s3ForcePathStyleBool),
+		DisableSSL:       aws.Bool(disableSSLBool),
 	}))

 	_, err = s3conn.ListObjects(&s3.ListObjectsInput{Bucket: &bucket})
--- a/website/source/docs/configuration/storage/s3.html.md
+++ b/website/source/docs/configuration/storage/s3.html.md
@ -58,9 +58,15 @@ cause Vault to attempt to retrieve credentials from the AWS metadata service.
 - `session_token` `(string: "")` – Specifies the AWS session token. This can
  also be provided via the environment variable `AWS_SESSION_TOKEN`.

- `max_parallel` `(string: "128")` – Specifies The maximum number of concurrent
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
  requests to S3.

+- `s3_force_path_style` `(string: "false")` - Specifies whether to use host
+  bucket style domains with the configured endpoint.
+
+- `disable_ssl` `(string: "false")` - Specifies if SSL should be used for the
+  endpoint connection (highly recommended not to disable for production).
+
 ## `s3` Examples

 ### Default Example