mirrors/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-05-21 09:11:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
87fdea5330835adb2ee200096cfb4ce9511fa1dc
seaweedfs/weed/shell/command_s3_accesskey_create.go
Chris Lu 37e6263efe fix(shell): attach admin JWT for filer IAM gRPC calls (#9536) 
When jwt.filer_signing.key is set, the filer's IamGrpcServer requires
a Bearer token on every IAM RPC. The shell's s3.* IAM commands dialed
without that header and failed with Unauthenticated. Route them through
a small helper that mints a token from the same key viper-loaded from
security.toml and appends it as outgoing metadata, matching the credential
grpc_store pattern.
2026-05-18 13:42:32 -07:00

91 lines
2.4 KiB
Go
Raw Blame History

package shell
import (
"context"
"flag"
"fmt"
"io"
"github.com/seaweedfs/seaweedfs/weed/iam"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
)
func init() {
Commands = append(Commands, &commandS3AccessKeyCreate{})
}
type commandS3AccessKeyCreate struct {
}
func (c *commandS3AccessKeyCreate) Name() string {
return "s3.accesskey.create"
}
func (c *commandS3AccessKeyCreate) Help() string {
return `create an additional access key for an S3 IAM user
s3.accesskey.create -user <username>
s3.accesskey.create -user <username> -access_key <key> -secret_key <secret>
Generates a new credential pair for an existing user. If -access_key and
-secret_key are omitted, they are generated automatically.
`
}
func (c *commandS3AccessKeyCreate) HasTag(CommandTag) bool {
return false
}
func (c *commandS3AccessKeyCreate) Do(args []string, commandEnv *CommandEnv, writer io.Writer) error {
f := flag.NewFlagSet(c.Name(), flag.ContinueOnError)
user := f.String("user", "", "user name")
accessKey := f.String("access_key", "", "access key (generated if omitted)")
secretKey := f.String("secret_key", "", "secret key (generated if omitted)")
if err := f.Parse(args); err != nil {
return err
}
if *user == "" {
return fmt.Errorf("-user is required")
}
ak := *accessKey
sk := *secretKey
if ak == "" && sk == "" {
var err error
ak, err = iam.GenerateRandomString(iam.AccessKeyIdLength, iam.CharsetUpper)
if err != nil {
return fmt.Errorf("generate access key: %v", err)
}
sk, err = iam.GenerateSecretAccessKey()
if err != nil {
return fmt.Errorf("generate secret key: %v", err)
}
} else if ak == "" || sk == "" {
return fmt.Errorf("both -access_key and -secret_key must be provided together, or omit both to auto-generate")
}
err := commandEnv.withIamClient(func(ctx context.Context, client iam_pb.SeaweedIdentityAccessManagementClient) error {
_, err := client.CreateAccessKey(ctx, &iam_pb.CreateAccessKeyRequest{
Username: *user,
Credential: &iam_pb.Credential{
AccessKey: ak,
SecretKey: sk,
Status: iam.AccessKeyStatusActive,
},
})
return err
})
if err != nil {
return err
}
fmt.Fprintf(writer, "Created access key for user %q\n", *user)
fmt.Fprintf(writer, "Access Key: %s\n", ak)
fmt.Fprintf(writer, "Secret Key: %s\n", sk)
fmt.Fprintln(writer)
fmt.Fprintln(writer, "Save these credentials - the secret key cannot be retrieved later.")
return nil
}
Reference in New Issue View Git Blame Copy Permalink