v3.2.0

What's Changed

• security: avoid excessive memory allocation from jwt-go @pvbouwel in #31
• tests: make sure range requests are allowed by @pvbouwel in #30
• Feature/tokenclaims by @pvbouwel in #32
  This allows to use condition keys like claims:sub & claims:iss to control policy logic based on issuer and subject.

Full Changelog: v3.1.0...v3.2.0

v3.1.0

What's Changed

• Allow passing RequestId as a query parameter to allow troubleshooting presigned url scenario's
• Log upstream errors at info rather than error level
• Have AuthType typed
• Have cleaning of query parameters done in the proxy

Full Changelog: v3.0.1...v3.1.0

v3.0.1

What's Changed

Fixed multiple issues:

• tls not set for Basic server eventhough info passed
• tls variables are no longer mandatory
• clean all non signed headers when checking signature that covers specific headers
• make suer to send error back when there is an upstream error
• tests: allow self-signed certificates for the tests
  For details see in #28

Full Changelog: v3.0.0...v3.0.1

v3.0.0

What's Changed

• Features/benchmarking and logging by @pvbouwel in #20
• cicd: benchmarking via GH actions by @pvbouwel in #21
• benchmark: use plain text proxy. by @pvbouwel in #22
• refactor: introduce middlewares by @pvbouwel in #23
• tests: metrics and request log by @pvbouwel in #24
• security: make session token access_key_id aware by @pvbouwel in #25

Breaking changes

• request IDs that are passed by the client are logged in upper case. This allows to easily distinguish between randomly assigned UUID4's.
• When relative paths are provided in the backendconfig file they should be relative to the config file and not to the working directory. Absolute paths are just treated as is.
• public credentials functions take interface rather than private key as argument
• Credentials have changed: Session token will have a claim allowing to make sure the Session token belongs to the rendered ACCESS_KEY_ID. This improves the security posture as otherwise hijacked session tokens could be easily misused (even without the secret key). In order to allow roll-out without breaking issued credentials once can set environment variable DEPRECATED_ALLOW_LEGACY_CREDENTIALS to "YES". After the maximum credential duration it could again be replaced with "NO"

Improvements

• Better request logging which could be used like an access log
• Optionally expose metrics
• Improved security

Full Changelog: v2.3.0...v3.0.0

v2.3.0

What's Changed

• security: avoid jinja 3.2.4 by @pvbouwel in #17
• Feature/multiple fqdns for s3 proxy by @pvbouwel in #18

Full Changelog: v2.2.0...v2.3.0

Allow dynamic reload of local policies

What's Changed

• Feature/invalidate cache by @pvbouwel in #16

Full Changelog: v2.1.0...v2.2.0

v2.1.0

What's Changed

• Bugfix/set idp claims when assuming with webidentity by @pvbouwel in #12
• security: allow setting conditions on the request region #13 by @pvbouwel in #14

Full Changelog: v2.0.1...v2.1.0

Fix CI release containers

This release does not have functional changes. It fixes some CI issues that hindered pushing a container for a release version.
So this can be used as if it were version 2.0.0.

What's Changed

• ci: allow skipping tests depending on testing backends during build by @pvbouwel in #10
• bugfix: container build environment variable by @pvbouwel in #11

Full Changelog: v2.0.0...v2.0.1

v2.0.0 multiple S3 backends and Session Tags

What's Changed

• feature: process nested tag claims by @pvbouwel in #6

Support the nested claims format for webidentity tokens as how AWS supports it. This allows to set session tags when assuming a role with a webidentity token. This allows to influence policies based out of attributes in your identity store (See unit test if it is unclear what type of policy is meant)

• !Feature/proxy multiple backends issue3 by @pvbouwel in #7 & #9
  Since we are a proxy we don't need a 1-to-1 relationship with a single S3 proxy. We allow specifying now multiple S3 backends and selection of which backend is done based out of the region attribute of the request. This means that at time of writing we are still limited to a single backend per region which seems not too limiting (If this is would be an issue to you open an issue and explain your use case for multiple backends within a region).

BREAKING CHANGE: This change expects that a valid region is passed in otherwise it fails. If this is unwanted you could still specify a default region and enable config flag "ENABLE_LEGACY_BEHAVIOR_INVALID_REGION_TO_DEFAULT_REGION" but this should only be used for transition periods with a grace period since allowing invalid region names is something that becomes harder to migrate away from over time (as invalid client configurations keep on increasing)

BREAKING CHANGE: The configuration format is overhauled to support defining multiple backends and the original environment variables have been removed. See README.md on how to configure it following the new format.

• refactor: smaller packages by @pvbouwel in #2

Full Changelog: v1.0.0...v2.0.0

v1.0.0

The initial version of the S3 proxy.

At this time the following features are provided:

STS proxy

• Support assumeRoleWithWebIdentity to exchange an OIDC access token for temporary credentials targetting a role ARN

S3 proxy

• Support temporary credentials as provided by STS proxy to authenticate and authorize requests
• Support evaluating basic IAM policies with s3 actions to define which actions are allowed for a specific role
• Support presigned urls (general sigv4 & HMAC V1 query auth)