From 427b36ca1cc3c5b2fe74f28d312f4dd775bd32fc Mon Sep 17 00:00:00 2001 From: Joe Zollo <33108028+zollo@users.noreply.github.com> Date: Thu, 29 Sep 2022 13:16:49 -0400 Subject: [PATCH] Add Param to to s3_object module to enforce SigV4 for get operations (#1014) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add Param to to s3_object module to enforce SigV4 for get operations SUMMARY This pull request adds a parameter to the s3_object module that enables users to force/require the Boto SDK to use SigV4 for get operations. Fixes #1013 ISSUE TYPE Feature Pull Request COMPONENT NAME s3_object ADDITIONAL INFORMATION N/A Reviewed-by: Alina Buzachis Reviewed-by: Gonéri Le Bouder Reviewed-by: Joe Zollo Reviewed-by: Jill R Reviewed-by: Mark Chappell Reviewed-by: Geoffrey Hichborn --- ...-version-4-to-the-s3_object-geturl-mode.yml | 2 ++ plugins/modules/s3_object.py | 13 +++++++++++-- .../targets/s3_object/tasks/main.yml | 18 +++++++++++++++++- 3 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 changelogs/fragments/1014-add-support-for-signature-version-4-to-the-s3_object-geturl-mode.yml diff --git a/changelogs/fragments/1014-add-support-for-signature-version-4-to-the-s3_object-geturl-mode.yml b/changelogs/fragments/1014-add-support-for-signature-version-4-to-the-s3_object-geturl-mode.yml new file mode 100644 index 00000000000..733d1efb22e --- /dev/null +++ b/changelogs/fragments/1014-add-support-for-signature-version-4-to-the-s3_object-geturl-mode.yml @@ -0,0 +1,2 @@ +minor_changes: +- s3_object - added the ``sig_v4`` paramater, enbling the user to opt in to signature version 4 for download/get operations. (https://github.com/ansible-collections/amazon.aws/pull/1014) diff --git a/plugins/modules/s3_object.py b/plugins/modules/s3_object.py index f18220f23b8..cfde5143f78 100644 --- a/plugins/modules/s3_object.py +++ b/plugins/modules/s3_object.py @@ -97,6 +97,13 @@ - Keyname of the object inside the bucket. - Can be used to create "virtual directories", see examples. type: str + sig_v4: + description: + - Forces the Boto SDK to use Signature Version 4. + - Only applies to get modes, I(mode=get), I(mode=getstr), I(mode=geturl). + default: true + type: bool + version_added: 5.0.0 permission: description: - This option lets the user set the canned permissions on the object/bucket that are created. @@ -858,7 +865,7 @@ def get_s3_connection(module, aws_connect_kwargs, location, ceph, endpoint_url, params = dict(module=module, conn_type='client', resource='s3', region=location, endpoint=endpoint_url, **aws_connect_kwargs) if module.params['mode'] == 'put' and module.params['encryption_mode'] == 'aws:kms': params['config'] = botocore.client.Config(signature_version='s3v4') - elif module.params['mode'] in ('get', 'getstr') and sig_4: + elif module.params['mode'] in ('get', 'getstr', 'geturl') and sig_4: params['config'] = botocore.client.Config(signature_version='s3v4') if module.params['dualstack']: dualconf = botocore.client.Config(s3={'use_dualstack_endpoint': True}) @@ -959,6 +966,7 @@ def main(): max_keys=dict(default=1000, type='int', no_log=False), metadata=dict(type='dict'), mode=dict(choices=['get', 'put', 'delete', 'create', 'geturl', 'getstr', 'delobj', 'list', 'copy'], required=True), + sig_v4=dict(default=True, type='bool'), object=dict(), permission=dict(type='list', elements='str', default=['private']), version=dict(default=None), @@ -1006,6 +1014,7 @@ def main(): obj = module.params.get('object') version = module.params.get('version') overwrite = module.params.get('overwrite') + sig_v4 = module.params.get('sig_v4') prefix = module.params.get('prefix') retries = module.params.get('retries') endpoint_url = module.params.get('endpoint_url') @@ -1064,7 +1073,7 @@ def main(): if endpoint_url: for key in ['validate_certs', 'security_token', 'profile_name']: aws_connect_kwargs.pop(key, None) - s3 = get_s3_connection(module, aws_connect_kwargs, location, ceph, endpoint_url) + s3 = get_s3_connection(module, aws_connect_kwargs, location, ceph, endpoint_url, sig_v4) validate = not ignore_nonexistent_bucket diff --git a/tests/integration/targets/s3_object/tasks/main.yml b/tests/integration/targets/s3_object/tasks/main.yml index 0e1d636a813..e85fd788634 100644 --- a/tests/integration/targets/s3_object/tasks/main.yml +++ b/tests/integration/targets/s3_object/tasks/main.yml @@ -23,7 +23,7 @@ - name: Create content set_fact: - content: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,hexdigits,punctuation') }}" + content: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,hexdigits,punctuation') }}" - name: test create bucket without permissions module_defaults: { group/aws: {} } @@ -399,6 +399,22 @@ - "'Download url:' in result.msg" - result is changed + - name: test geturl of the object with sigv4 + s3_object: + bucket: "{{ bucket_name }}" + mode: geturl + sig_v4: true + object: delete.txt + retries: 3 + delay: 3 + register: result + until: result is changed + + - assert: + that: + - "'Download url:' in result.msg" + - result is changed + - name: test getstr of the object s3_object: bucket: "{{ bucket_name }}"