timuralp
commented
1 year ago AWS supports two signing methods for S3 requests: v2 (deprecated - https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html) and v4 (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). Setting the value to aws-v2-or-v4 instructs s3proxy to verify both kind of signatures for an incoming request. Setting Authorization to "none" does not verify the signature at all.
You can configure front-end (client-facing) credentials to be different from the backend. This is a useful feature where clients do not need to know the real AWS S3 keys, for example. s3proxy then validates that the client signed the requests as expected and resigns the requests with the actual AWS key.
I think expanding documentation to include this information would be great, although some of this information is about how S3 requests work (i.e. signing methods and request verification).
alifirat
caseyoneill
I started off testing S3Proxy with Authorization set to none and everything worked great. However, as I roll this out to production I want to secure the server. I see that the default value for the docker S3PROXY_AUTHORIZATION ENV is "aws-v2-or-v4". I'm rather confused as to what this means and I can't find any explanation in the wiki.
I currently have S3Proxy setup to connect to AWS S3 with JCLOUDS_PROVIDER=aws-s3. At first I thought that setting S3PROXY_AUTHORIZATION to "aws-v2-or-v4" would mean that my AWS SDK s3Client would need to pass along valid AWS Access Key and Secret Keys and that S3Proxy would authenticate those keys with AWS. That did not work. Then I set the same valid AWS keys in S3Proxy using the ENVs S3PROXY_IDENTITY and S3PROXY_CREDENTIAL. That did work.
While that worked, I didn't quite understand why both my client and the S3Proxy server would need valid AWS credentials. The client should have been enough. Then I changed the client keys to randomly created username and password similar to s3proxyuser/password123456. I set the same credentials for S3PROXY_IDENTITY and S3PROXY_CREDENTIAL on S3Proxy. And to my surprise it worked!
Are S3PROXY_IDENTITY and S3PROXY_CREDENTIAL used to hardcode a username and password for S3Proxy? I think that makes sense but it would be helpful if the wiki could fully document the functionality.