S3 API: simpler way to start s3 with credentials (#7030)

* simpler way to start s3 with credentials

* AWS_ACCESS_KEY_ID=access_key AWS_SECRET_ACCESS_KEY=secret_key weed s3

* last adding credentials from env variables

* Update weed/s3api/auth_credentials.go

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* simplify

* adjust doc

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

1 files changed, 52 insertions, 20 deletions

diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 742f3eede..4f00639ff 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -85,22 +85,6 @@ type Credential struct {
 	SecretKey string
 }
 
-func (i *Identity) isAnonymous() bool {
-	return i.Account.Id == s3_constants.AccountAnonymousId
-}
-
-func (action Action) isAdmin() bool {
-	return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
-}
-
-func (action Action) isOwner(bucket string) bool {
-	return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
-}
-
-func (action Action) overBucket(bucket string) bool {
-	return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
-}
-
 // "Permission": "FULL_CONTROL"|"WRITE"|"WRITE_ACP"|"READ"|"READ_ACP"
 func (action Action) getPermission() Permission {
 	switch act := strings.Split(string(action), ":")[0]; act {
@@ -147,6 +131,7 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto
 
 	iam.credentialManager = credentialManager
 
+	// First, load configurations from file or filer
 	if option.Config != "" {
 		glog.V(3).Infof("loading static config file %s", option.Config)
 		if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
@@ -158,6 +143,57 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto
 			glog.Warningf("fail to load config: %v", err)
 		}
 	}
+
+	// Then, add admin credentials from environment variables if available
+// This supplements the configuration by adding admin credentials from environment variables if they don't already exist.
+	accessKeyId := os.Getenv("AWS_ACCESS_KEY_ID")
+	secretAccessKey := os.Getenv("AWS_SECRET_ACCESS_KEY")
+
+	if accessKeyId != "" && secretAccessKey != "" {
+		glog.V(0).Infof("Adding S3 admin credentials from AWS environment variables")
+
+		// Check if an identity with this access key already exists
+		iam.m.RLock()
+		_, accessKeyExists := iam.accessKeyIdent[accessKeyId]
+		iam.m.RUnlock()
+
+		if !accessKeyExists {
+			// Create environment variable identity name
+			identityNameSuffix := accessKeyId
+			if len(accessKeyId) > 8 {
+				identityNameSuffix = accessKeyId[:8]
+			}
+
+			// Create admin identity with environment variable credentials
+			envIdentity := &Identity{
+				Name:    "admin-" + identityNameSuffix,
+				Account: &AccountAdmin,
+				Credentials: []*Credential{
+					{
+						AccessKey: accessKeyId,
+						SecretKey: secretAccessKey,
+					},
+				},
+				Actions: []Action{
+					s3_constants.ACTION_ADMIN,
+				},
+			}
+
+			// Add to existing configuration
+			iam.m.Lock()
+			iam.identities = append(iam.identities, envIdentity)
+			iam.accessKeyIdent[accessKeyId] = envIdentity
+			if !iam.isAuthEnabled {
+				iam.isAuthEnabled = true
+			}
+			iam.m.Unlock()
+
+			glog.V(0).Infof("Added admin identity from AWS environment variables: %s", envIdentity.Name)
+		} else {
+			glog.V(0).Infof("Access key %s already exists, skipping environment variable credentials", accessKeyId)
+		}
+	}
+
 	return iam
 }
 
@@ -538,9 +574,5 @@ func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromCredentialManager
 		return fmt.Errorf("failed to load configuration from credential manager: %w", err)
 	}
 
-	if len(s3ApiConfiguration.Identities) == 0 {
-		return fmt.Errorf("no identities found")
-	}
-
 	return iam.loadS3ApiConfiguration(s3ApiConfiguration)
 }