feat: Add IRSA and session token support to AWS Storage Service

This enhancement addresses the AWS credential limitations in OpenVSX by adding
support for multiple authentication methods:

1. Static credentials with session token (temporary credentials)
2. Static credentials without session token (permanent credentials)
3. IRSA credentials (IAM Roles for Service Accounts)
4. Default credential provider chain (fallback)

Key improvements:
- Enables secure Kubernetes deployments using IRSA
- Supports temporary credentials from AWS STS
- Maintains backward compatibility with existing configurations
- Follows AWS security best practices
- Eliminates need for long-lived static credentials in containers

The service automatically detects available credential types and uses
appropriate AWS SDK credential providers based on configuration.

Updated documentation includes examples for all authentication methods
and deployment scenarios.

Fixes: #1316
Signed-off-by: Adnan Al <[email protected]>

Author: achdmbp

README.md

@@ -154,10 +154,46 @@ If you would like to test file storage via Amazon S3, follow these steps:
       }
     ]
     ```
+
+#### Authentication Methods
+
+OpenVSX supports multiple AWS authentication methods with the following precedence:
+
+1. **Static credentials with session token** (temporary credentials)
+2. **Static credentials without session token** (permanent credentials)
+3. **IAM role-based credentials** (using AWS Web Identity Token authentication)
+4. **Default credential provider chain** (fallback for other AWS credential sources)
+
+#### Option 1: Static Credentials (Traditional)
+
 * Follow the steps for [programmatic access](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) to create your access key id and secret access key
-* Configure the following environment variables on your server environment
+* Configure the following environment variables:
   * `AWS_ACCESS_KEY_ID` with your access key id
   * `AWS_SECRET_ACCESS_KEY` with your secret access key
+  * `AWS_SESSION_TOKEN` with your session token (optional, for temporary credentials)
+
+#### Option 2: IAM Role with Web Identity Token (Recommended for containerized deployments)
+
+For deployments using IAM roles with web identity token authentication (such as IRSA in Kubernetes, ECS tasks with task roles, or other container orchestration platforms):
+
+* Create an IAM role with S3 permissions and appropriate trust policy
+* Configure your deployment environment to provide the following environment variables:
+  * `AWS_ROLE_ARN` - The ARN of the IAM role to assume
+  * `AWS_WEB_IDENTITY_TOKEN_FILE` - Path to the web identity token file
+* No static credentials needed!
+
+#### Option 3: Default Credential Provider Chain
+
+OpenVSX will automatically detect credentials from:
+* Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
+* AWS credentials file (`~/.aws/credentials`)
+* AWS config file (`~/.aws/config`)
+* IAM instance profile (for EC2 instances)
+* Container credentials (for ECS tasks)
+
+#### Common Configuration
+
+Regardless of authentication method, configure these environment variables:
   * `AWS_REGION` with your bucket region name
   * `AWS_SERVICE_ENDPOINT` with the url of your S3 provider if not using AWS (for AWS do not set)
   * `AWS_BUCKET` with your bucket name

server/build.gradle

@@ -29,7 +29,7 @@ def versions = [
     azure: '12.23.0',
     aws: '2.29.29',
     junit: '5.9.2',
-    testcontainers: '1.15.2',
+    testcontainers: '1.19.3',
     jackson: '2.15.2',
     woodstox: '6.4.0',
     jobrunr: '7.5.0',
@@ -128,10 +128,12 @@ dependencies {
     }
     testImplementation "org.springframework.security:spring-security-test"
     testImplementation "org.testcontainers:elasticsearch:${versions.testcontainers}"
+    testImplementation "org.testcontainers:localstack:${versions.testcontainers}"
+    testImplementation "org.testcontainers:junit-jupiter:${versions.testcontainers}"
     testImplementation "org.junit.jupiter:junit-jupiter-api:${versions.junit}"
     testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:${versions.junit}"
     testRuntimeOnly "org.testcontainers:postgresql:${versions.testcontainers}"
-
+    
     gatling "io.gatling:gatling-core:${versions.gatling}"
     gatling "io.gatling:gatling-app:${versions.gatling}"
 }
@@ -198,8 +200,23 @@ task unitTests(type: Test) {
     exclude 'org/eclipse/openvsx/IntegrationTest.class'
     exclude 'org/eclipse/openvsx/cache/CacheServiceTest.class'
     exclude 'org/eclipse/openvsx/repositories/RepositoryServiceSmokeTest.class'
+    exclude 'org/eclipse/openvsx/storage/AwsStorageServiceIntegrationTest.class'
 }
 
+task s3IntegrationTests(type: Test) {
+    description = 'Runs S3 integration tests using LocalStack (requires Docker/Podman).'
+    group = 'verification'
+    testClassesDirs = sourceSets.test.output.classesDirs
+    classpath = sourceSets.test.runtimeClasspath
+    useJUnitPlatform()
+    include 'org/eclipse/openvsx/storage/AwsStorageServiceIntegrationTest.class'
+    
+    // Set system properties for test configuration
+    systemProperty 'spring.profiles.active', 's3-integration'
+}
+
+
+
 jacocoTestReport {
     reports {
         xml.required = true

server/src/main/java/org/eclipse/openvsx/storage/AwsStorageService.java

@@ -23,6 +23,9 @@
 import org.springframework.data.util.Pair;
 import org.springframework.stereotype.Component;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
 import software.amazon.awssdk.awscore.defaultsmode.DefaultsMode;
 import software.amazon.awssdk.regions.Region;
@@ -60,6 +63,9 @@ public class AwsStorageService implements IStorageService {
     @Value("${ovsx.storage.aws.secret-access-key:}")
     String secretAccessKey;
 
+    @Value("${ovsx.storage.aws.session-token:}")
+    String sessionToken;
+
     @Value("${ovsx.storage.aws.region:}")
     String region;
 
@@ -81,12 +87,11 @@ public AwsStorageService(FileCacheDurationConfig fileCacheDurationConfig, FilesC
 
     protected S3Client getS3Client() {
         if (s3Client == null) {
-            var credentials = AwsBasicCredentials.create(accessKeyId, secretAccessKey);
             var s3ClientBuilder = S3Client.builder()
                     .defaultsMode(DefaultsMode.STANDARD)
                     .forcePathStyle(pathStyleAccess)
-                    .credentialsProvider(StaticCredentialsProvider.create(credentials))
-                    .region(Region.of(region));
+                    .region(Region.of(region))
+                    .credentialsProvider(getCredentialsProvider());
 
             if(StringUtils.isNotEmpty(serviceEndpoint)) {
                 var endpointParams = S3EndpointParams.builder()
@@ -107,10 +112,9 @@ protected S3Client getS3Client() {
     }
 
     private S3Presigner getS3Presigner() {
-        var credentials = AwsBasicCredentials.create(accessKeyId, secretAccessKey);
         var builder = S3Presigner.builder()
-                .credentialsProvider(StaticCredentialsProvider.create(credentials))
-                .region(Region.of(region));
+                .region(Region.of(region))
+                .credentialsProvider(getCredentialsProvider());
 
         if(StringUtils.isNotEmpty(serviceEndpoint)) {
             var endpointParams = S3EndpointParams.builder()
@@ -128,9 +132,44 @@ private S3Presigner getS3Presigner() {
         return builder.build();
     }
 
+    private AwsCredentialsProvider getCredentialsProvider() {
+        // Use static credentials if provided, otherwise DefaultCredentialsProvider handles everything
+        if (hasStaticCredentials()) {
+            var credentials = hasSessionToken() 
+                ? AwsSessionCredentials.create(accessKeyId, secretAccessKey, sessionToken)
+                : AwsBasicCredentials.create(accessKeyId, secretAccessKey);
+            return StaticCredentialsProvider.create(credentials);
+        }
+        return DefaultCredentialsProvider.create();
+    }
+
+
+    private boolean hasStaticCredentials() {
+        return !StringUtils.isEmpty(accessKeyId) && !StringUtils.isEmpty(secretAccessKey);
+    }
+
+    private boolean hasSessionToken() {
+        return !StringUtils.isEmpty(sessionToken);
+    }
     @Override
     public boolean isEnabled() {
-        return !StringUtils.isEmpty(accessKeyId);
+        // Require region and bucket to be configured
+        if (StringUtils.isEmpty(region) || StringUtils.isEmpty(bucket)) {
+            return false;
+        }
+        
+        // If any credential fields are provided, validate them properly
+        boolean hasAccessKey = !StringUtils.isEmpty(accessKeyId);
+        boolean hasSecretKey = !StringUtils.isEmpty(secretAccessKey);
+        boolean hasSessionToken = !StringUtils.isEmpty(sessionToken);
+        
+        if (hasAccessKey || hasSecretKey || hasSessionToken) {
+            // If any credential is provided, both access key and secret key must be present
+            return hasAccessKey && hasSecretKey;
+        }
+        
+        // No static credentials provided - allow AWS default credential provider chain
+        return true;
     }
 
     @Override