danny-avila / LibreChat

Enhanced ChatGPT Clone: Features Anthropic, AWS, OpenAI, Assistants API, Azure, Groq, o1, GPT-4o, Mistral, OpenRouter, Vertex AI, Gemini, Artifacts, AI model switching, message search, langchain, DALL-E-3, ChatGPT Plugins, OpenAI Functions, Secure Multi-User System, Presets, completely open-source for self-hosting. Actively in public development.
https://librechat.ai/
MIT License
19.51k stars 3.25k forks source link

Enhancement: AWS S3 Support (with IRSA option) #2898

Open tip-dteller opened 6 months ago

tip-dteller commented 6 months ago

What features would you like to see added?

When generating images or even python plots, images are stored to disk, which can be mounted to any location. IconURL however points to anything external .i.e Github. So when trying to use an S3 address, inherently it fails because the call never goes to AWS, but instead goes through outside the network. (Private trying to access Public).

This was observed in Kubernetes deployment of LibreChat.

Also I believe that storing images on s3, for all intents and purposes, would be better for historical purposes. If a pod or container suddenly goes down, and the images aren't mapped properly you'd simply lose them.

Can you please add support for IRSA? I know this requires some code additions.

More details

Example Trust Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::{AWS_ACCOUNT}:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/{EKS_OIDC}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-east-1.amazonaws.com/id/{EKS_OIDC}:sub": "system:serviceaccount:librechat:librechat",
                    "oidc.eks.us-east-1.amazonaws.com/id/{EKS_OIDC}:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Example Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-example-librechat-bucket/*",
                "arn:aws:s3:::my-example-librechat-bucket"
            ]
        }
    ]
}

The user that will deploy, ideally. should have base knowledge of K8s and how to utilize a serviceAccount.

Which components are impacted by your request?

General

Pictures

No response

Code of Conduct

danny-avila commented 6 months ago

firebase is already an option for images, from which you can apply similar policies, and S3 support is planned.

It would follow the same dependency injection pattern as firebase.

Since the main concern seems to be the ability to store and retrieve images using AWS S3, which is planned, I'm renaming this issue as such. I will keep IRSA in mind as an authentication method to implement for this.