Add suppport for AWS IAM roles (#97)

* Added support for specifying an optional IAM role name

Added nullable property RoleName in AWSStorageOptions. Changed AWSStorage.CreateStorageClient to use the IAM role name if it has been supplied, otherwise uses regular basic AWS credentials.

* Removed word wrapping for StorageOptions.OriginalOptions

Removed the word wrapping for the StorageOptions.OriginalOptions parameter, since I see there are other code lines even longer than these.

* Added a comment in CreateStorateClient.

* Made role name optional

Added support for using instance profile credentials without specifying a role name.

* Added missing XML comment for OriginalOptions property

* Added XML comment about what the default is

* Changed CheckConfiguration to also allow instance profile config

Allow that PublicKey and SecretKey is empty if UseInstanceProfileCredentials is true.

* Added some AwsConfig tests for instance profile configuration.

* Updated LocalStack to latest docker version

Updated LocalStack to latest docker version, i.e. 3.5.0.

* Updated the Testcontainers NuGet packages

Updated the Testcontainers NuGet packages to latest.

* Add comment clarifying that IAM instance profile credentials can only be used when running on an EC2 instance.

---------

Co-authored-by: ksemenenko <KSemenenko@users.noreply.github.com>

Author: hoylu-royberg

Storages/ManagedCode.Storage.Aws/AWSStorage.cs

@@ -94,6 +94,15 @@ public override async Task<Result<Stream>> GetStreamAsync(string fileName, Cance
 
     protected override IAmazonS3 CreateStorageClient()
     {
+        // Check if we should use the instance profile credentials.
+        if (StorageOptions.UseInstanceProfileCredentials)
+        {
+            return string.IsNullOrWhiteSpace(StorageOptions.RoleName)
+                ? new AmazonS3Client(new InstanceProfileAWSCredentials(), StorageOptions.OriginalOptions)
+                : new AmazonS3Client(new InstanceProfileAWSCredentials(StorageOptions.RoleName), StorageOptions.OriginalOptions);
+        }
+
+        // If not, use the basic credentials.
         return new AmazonS3Client(new BasicAWSCredentials(StorageOptions.PublicKey, StorageOptions.SecretKey), StorageOptions.OriginalOptions);
     }
 

Storages/ManagedCode.Storage.Aws/Extensions/ServiceCollectionExtensions.cs

@@ -45,13 +45,18 @@ public static IServiceCollection AddAWSStorageAsDefault(this IServiceCollection
 
     private static void CheckConfiguration(AWSStorageOptions options)
     {
-        if (string.IsNullOrEmpty(options.PublicKey))
-            throw new BadConfigurationException($"{nameof(options.PublicKey)} cannot be empty");
-
-        if (string.IsNullOrEmpty(options.SecretKey))
-            throw new BadConfigurationException($"{nameof(options.SecretKey)} cannot be empty");
-
+        // Make sure the bucket name is set.
         if (string.IsNullOrEmpty(options.Bucket))
             throw new BadConfigurationException($"{nameof(options.Bucket)} cannot be empty");
+
+        // If we are using instance profile credentials, we don't need to check for the public and secret keys.
+        if (!options.UseInstanceProfileCredentials)
+        {
+            if (string.IsNullOrEmpty(options.PublicKey))
+                throw new BadConfigurationException($"{nameof(options.PublicKey)} cannot be empty");
+
+            if (string.IsNullOrEmpty(options.SecretKey))
+                throw new BadConfigurationException($"{nameof(options.SecretKey)} cannot be empty");
+        }
     }
 }

Storages/ManagedCode.Storage.Aws/Options/AWSStorageOptions.cs

@@ -3,12 +3,51 @@
 
 namespace ManagedCode.Storage.Aws.Options;
 
+/// <summary>
+///     Configuration options for AWS S3 storage.
+/// </summary>
 public class AWSStorageOptions : IStorageOptions
 {
+    /// <summary>
+    ///     The public key to access the AWS S3 storage bucket.
+    /// </summary>
     public string? PublicKey { get; set; }
+
+    /// <summary>
+    ///     The secret key to access the AWS S3 storage bucket.
+    /// </summary>
     public string? SecretKey { get; set; }
+
+    /// <summary>
+    ///     The name of the IAM role.
+    /// </summary>
+    /// <remarks>
+    ///     If this is set, the <see cref="PublicKey"/> and <see cref="SecretKey"/> will be ignored.
+    ///     Note that this can only be used when running on an EC2 instance.
+    /// </remarks>
+    public string? RoleName { get; set; }
+
+    /// <summary>
+    ///     The name of the bucket to use.
+    /// </summary>
     public string? Bucket { get; set; }
+
+    /// <summary>
+    ///     The underlying Amazon S3 configuration.
+    /// </summary>
     public AmazonS3Config? OriginalOptions { get; set; } = new();
 
+    /// <summary>
+    ///     Whether to create the container if it does not exist. Default is <c>true</c>.
+    /// </summary>
     public bool CreateContainerIfNotExists { get; set; } = true;
+    
+    /// <summary>
+    ///     Whether to use the instance profile credentials. Default is <c>false</c>.
+    /// </summary>
+    /// <remarks>
+    ///    If this is set to <c>true</c>, the <see cref="PublicKey"/> and <see cref="SecretKey"/> will be ignored.
+    ///     Note that this can only be used when running on an EC2 instance.
+    /// </remarks>
+    public bool UseInstanceProfileCredentials { get; set; } = false;
 }

Tests/ManagedCode.Storage.Tests/Common/ContainerImages.cs

@@ -4,5 +4,5 @@ public class ContainerImages
 {
     public const string Azurite = "mcr.microsoft.com/azure-storage/azurite:3.30.0";
     public const string FakeGCSServer = "fsouza/fake-gcs-server:1.49.1";
-    public const string LocalStack = "localstack/localstack:3.4.0";
+    public const string LocalStack = "localstack/localstack:3.5.0";
 }

Tests/ManagedCode.Storage.Tests/ManagedCode.Storage.Tests.csproj

@@ -29,10 +29,10 @@
         <PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.0"/>
         <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0"/>
         <PackageReference Include="System.Linq.Async" Version="6.0.1"/>
-        <PackageReference Include="Testcontainers" Version="3.8.0"/>
-        <PackageReference Include="Testcontainers.Azurite" Version="3.8.0"/>
-        <PackageReference Include="Testcontainers.FakeGcsServer" Version="3.8.0"/>
-        <PackageReference Include="Testcontainers.LocalStack" Version="3.8.0"/>
+        <PackageReference Include="Testcontainers" Version="3.9.0" />
+        <PackageReference Include="Testcontainers.Azurite" Version="3.9.0" />
+        <PackageReference Include="Testcontainers.FakeGcsServer" Version="3.9.0" />
+        <PackageReference Include="Testcontainers.LocalStack" Version="3.9.0" />
         <PackageReference Include="xunit" Version="2.8.1"/>
         <PackageReference Include="xunit.runner.visualstudio" Version="2.8.1">
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

Tests/ManagedCode.Storage.Tests/Storages/AWS/AwsConfigTests.cs

@@ -57,6 +57,52 @@ public void BadConfigurationForStorage_WithoutBucket_ThrowException()
             .Throw<BadConfigurationException>();
     }
 
+    [Fact]
+    public void BadInstanceProfileConfigurationForStorage_WithoutBucket_ThrowException()
+    {
+        var services = new ServiceCollection();
+
+        Action action = () => services.AddAWSStorageAsDefault(new AWSStorageOptions
+        {
+            RoleName = "my-role-name",
+            UseInstanceProfileCredentials = true
+        });
+
+        action.Should()
+            .Throw<BadConfigurationException>();
+    }
+
+    [Fact]
+    public void ValidInstanceProfileConfigurationForStorage_WithRoleName_DoesNotThrowException()
+    {
+        var services = new ServiceCollection();
+
+        Action action = () => services.AddAWSStorageAsDefault(new AWSStorageOptions
+        {
+            Bucket = "managed-code-bucket",
+            RoleName = "my-role-name",
+            UseInstanceProfileCredentials = true
+        });
+
+        action.Should()
+            .NotThrow<Exception>();
+    }
+
+    [Fact]
+    public void ValidInstanceProfileConfigurationForStorage_WithoutRoleName_DoesNotThrowException()
+    {
+        var services = new ServiceCollection();
+
+        Action action = () => services.AddAWSStorageAsDefault(new AWSStorageOptions
+        {
+            Bucket = "managed-code-bucket",
+            UseInstanceProfileCredentials = true
+        });
+
+        action.Should()
+            .NotThrow<Exception>();
+    }
+
     [Fact]
     public void StorageAsDefaultTest()
     {