s3.go: Added options to use paths with S3 and the ability to disable …

…SSL (#3730)
hashicorp · Jan 3, 2018 · f57329a · f57329a
1 parent 326e1ab
commit f57329a
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/physical/s3/s3.go b/physical/s3/s3.go
@@ -22,6 +22,7 @@ import (
 	cleanhttp "github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/vault/helper/awsutil"
 	"github.com/hashicorp/vault/helper/consts"
+	"github.com/hashicorp/vault/helper/parseutil"
 	"github.com/hashicorp/vault/physical"
 )
 
@@ -72,6 +73,22 @@ func NewS3Backend(conf map[string]string, logger log.Logger) (physical.Backend,
 			}
 		}
 	}
+	s3ForcePathStyleStr, ok := conf["s3_force_path_style"]
+	if !ok {
+		s3ForcePathStyleStr = "false"
+	}
+	s3ForcePathStyleBool, err := parseutil.ParseBool(s3ForcePathStyleStr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid boolean set for s3_force_path_style: '%s'", s3ForcePathStyleStr)
+	}
+	disableSSLStr, ok := conf["disable_ssl"]
+	if !ok {
+		disableSSLStr = "false"
+	}
+	disableSSLBool, err := parseutil.ParseBool(disableSSLStr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid boolean set for disable_ssl: '%s'", disableSSLStr)
+	}
 
 	credsConfig := &awsutil.CredentialsConfig{
 		AccessKey:    accessKey,
@@ -91,8 +108,10 @@ func NewS3Backend(conf map[string]string, logger log.Logger) (physical.Backend,
 		HTTPClient: &http.Client{
 			Transport: pooledTransport,
 		},
-		Endpoint: aws.String(endpoint),
-		Region:   aws.String(region),
+		Endpoint:         aws.String(endpoint),
+		Region:           aws.String(region),
+		S3ForcePathStyle: aws.Bool(s3ForcePathStyleBool),
+		DisableSSL:       aws.Bool(disableSSLBool),
 	}))
 
 	_, err = s3conn.ListObjects(&s3.ListObjectsInput{Bucket: &bucket})

diff --git a/website/source/docs/configuration/storage/s3.html.md b/website/source/docs/configuration/storage/s3.html.md
@@ -58,9 +58,15 @@ cause Vault to attempt to retrieve credentials from the AWS metadata service.
 - `session_token` `(string: "")` – Specifies the AWS session token. This can
   also be provided via the environment variable `AWS_SESSION_TOKEN`.
 
-- `max_parallel` `(string: "128")` – Specifies The maximum number of concurrent
+- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
   requests to S3.
 
+- `s3_force_path_style` `(string: "false")` - Specifies whether to use host
+  bucket style domains with the configured endpoint.
+
+- `disable_ssl` `(string: "false")` - Specifies if SSL should be used for the
+  endpoint connection (highly recommended not to disable for production).
+
 ## `s3` Examples
 
 ### Default Example