New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document s3 substitutions #2319
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs seem good & taught me stuff I didn't know about it, even though I use authenticated Nix S3 reads and writes dozens of times a day 😄
service.</para></listitem> | ||
|
||
<listitem><para>The bucket must be within the | ||
<literal>us-east-1</literal> region.</para></listitem> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose this is why it doesn't need s3:GetBucketLocation
on reads? Seems like a problem 😦
<section xml:id="ssec-s3-substituter-authenticated-writes"> | ||
<title>Authenticated Writes to your S3-compatible binary cache</title> | ||
|
||
<para>Nix support fully supports writing to Amazon S3 and S3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is the behavior so different between reads and writes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In short...
Download code:
Lines 600 to 606 in 45bcf54
#ifdef ENABLE_S3 | |
S3Helper s3Helper("", Aws::Region::US_EAST_1); // FIXME: make configurable | |
auto slash = request.uri.find('/', 5); | |
if (slash == std::string::npos) | |
throw nix::Error("bad S3 URI '%s'", request.uri); | |
std::string bucketName(request.uri, 5, slash - 5); | |
std::string key(request.uri, slash + 1); |
Upload code:
nix/src/libstore/s3-binary-cache-store.cc
Line 189 in 45bcf54
, s3Helper(profile, region) |
The Upload code does a fancier arg parsing, which happens in a separate function:
Lines 838 to 851 in 45bcf54
ref<Store> openStore(const std::string & uri_, | |
const Store::Params & extraParams) | |
{ | |
auto uri(uri_); | |
Store::Params params(extraParams); | |
auto q = uri.find('?'); | |
if (q != std::string::npos) { | |
for (auto s : tokenizeString<Strings>(uri.substr(q + 1), "&")) { | |
auto e = s.find('='); | |
if (e != std::string::npos) | |
params[s.substr(0, e)] = s.substr(e + 1); | |
} | |
uri = uri_.substr(0, q); | |
} |
cache.</para> | ||
|
||
<para>For AWS S3 the binary cache URL for example bucket will be | ||
exactly <uri>https://example-bucket.s3.amazonaws.com</uri>. For S3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this depends on the region also ? https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html#access-bucket-intro
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, DNS is sufficient:
In a virtual-hosted–style URL, you can use either of these endpoints. If you make a request to the http://bucket.s3.amazonaws.com endpoint, the DNS has sufficient information to route your request directly to the Region where your bucket resides.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh good to know :)
Ideally this will be backported to 2.0.x.
Ideally we could get an authoritative, minimal list of privileges required but it seems most people testing grant
s3:*
.cc @shlevy