Merge branch 'c0state-allow_sts_tokens'

README.md

@@ -66,7 +66,7 @@ s3_bucket: blog.example.com
 roles](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html#UsingIAMrolesWithAmazonEC2Instances),
 you can omit the `s3_id` and `s3_secret` keys in the config file.)
 
-S3_website implements supports for reading environment variables from a file using
+S3_website implements support for reading environment variables from a file using
 the [dotenv](https://github.com/bkeepers/dotenv) gem. You can create a `.env` file
 in the project's root directory to take advantage of this feature. Please have
 a look at [dotenv's usage guide](https://github.com/bkeepers/dotenv#usage) for
@@ -446,6 +446,16 @@ Define the subdirectory like so:
 s3_key_prefix: your-subdirectory
 ```
 
+### Temporary security credentials with Session Token
+
+[AWS temporary security credentials](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) (eg: when [assuming IAM roles](http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html))
+
+Usage: 
+
+```yaml
+session_token: your-token
+```
+
 ## Migrating from v1 to v2
 
 Please read the [release note](/changelog.md#200) on version 2. It contains

additional-docs/example-configurations.md

@@ -19,6 +19,15 @@ s3_bucket: your.domain.net
 If you run `s3_website` on an EC2 instance with IAM roles, it is possible to omit
 the `s3_id` and `s3_secret`.
 
+## Minimal for temporary security credentials
+
+````yaml
+s3_id: abcd
+s3_secret: 2s+x92
+session_token: hex!xeh
+s3_bucket: your.domain.net
+````
+
 ## Optimised for speed
 
 Use CloudFront, gzip, cache headers and greater concurrency:

resources/configuration_file_template.yml

@@ -2,6 +2,9 @@ s3_id: YOUR_AWS_S3_ACCESS_KEY_ID
 s3_secret: YOUR_AWS_S3_SECRET_ACCESS_KEY
 s3_bucket: your.blog.bucket.com
 
+# set s3_token if using temporary credentials with a session token (eg: when assuming a role)
+# s3_token: YOUR_AWS_S3_SESSION_TOKEN
+
 # Below are examples of all the available configurations.
 # See README for more detailed info on each of them.
 

src/main/scala/s3/website/model/Config.scala

@@ -8,11 +8,12 @@ import scala.util.{Failure, Try}
 import scala.collection.JavaConversions._
 import s3.website.Ruby.rubyRuntime
 import s3.website._
-import com.amazonaws.auth.{AWSCredentialsProvider, BasicAWSCredentials, DefaultAWSCredentialsProviderChain}
+import com.amazonaws.auth.{AWSCredentialsProvider, BasicAWSCredentials, BasicSessionCredentials, DefaultAWSCredentialsProviderChain}
 
 case class Config(
   s3_id:                                  Option[String], // If undefined, use IAM Roles (http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-roles.html)
   s3_secret:                              Option[String], // If undefined, use IAM Roles (http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-roles.html)
+  session_token:                          Option[String], // If defined, the AWS Security Token Service session token (http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html)
   s3_bucket:                              String,
   s3_endpoint:                            S3Endpoint,
   site:                                   Option[String],
@@ -36,10 +37,19 @@ case class Config(
 object Config {
 
   def awsCredentials(config: Config): AWSCredentialsProvider = {
-    val credentialsFromConfigFile = for {
-      s3_id <- config.s3_id
-      s3_secret <- config.s3_secret
-    } yield new BasicAWSCredentials(s3_id, s3_secret)
+    val credentialsFromConfigFile =
+      if (config.session_token.isEmpty) {
+        for {
+          s3_id <- config.s3_id
+          s3_secret <- config.s3_secret
+        } yield new BasicAWSCredentials(s3_id, s3_secret)
+      } else {
+        for {
+          s3_id <- config.s3_id
+          s3_secret <- config.s3_secret
+          session_token <- config.session_token
+        } yield new BasicSessionCredentials(s3_id, s3_secret, session_token)
+      }
     credentialsFromConfigFile.fold(new DefaultAWSCredentialsProviderChain: AWSCredentialsProvider)(credentials =>
       new AWSCredentialsProvider {
         def getCredentials = credentials

src/main/scala/s3/website/model/Site.scala

@@ -35,6 +35,7 @@ object Site {
         for {
           s3_id <- loadOptionalString("s3_id").right
           s3_secret <- loadOptionalString("s3_secret").right
+          session_token <- loadOptionalString("session_token").right
           s3_bucket <- loadRequiredString("s3_bucket").right
           s3_endpoint <- loadEndpoint.right
           site <- loadOptionalString("site").right
@@ -65,6 +66,7 @@ object Site {
           Config(
             s3_id,
             s3_secret,
+            session_token,
             s3_bucket,
             s3_endpoint getOrElse S3Endpoint.defaultEndpoint,
             site,