mozilla · Saruniks · Jun 20, 2024 · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -183,6 +183,70 @@ jobs:
 
           ${SCCACHE_PATH} --show-stats | grep -e "Cache hits\s*[1-9]"
 
+  s3_minio_alternative:
+    runs-on: ubuntu-latest
+    needs: build
+
+    # Setup minio server
+    services:
+      minio:
+        image: wktk/minio-server
+        ports:
+          - 9000:9000
+        env:
+          MINIO_ACCESS_KEY: "minioadmin"
+          MINIO_SECRET_KEY: "minioadmin"
+
+    env:
+      SCCACHE_BUCKET: test
+      SCCACHE_ENDPOINT: http://127.0.0.1:9000/
+      SCCACHE_REGION: us-east-1
+      SCCACHE_AWS_ACCESS_KEY_ID: "minioadmin"
+      SCCACHE_AWS_SECRET_ACCESS_KEY: "minioadmin"
+      AWS_EC2_METADATA_DISABLED: "true"
+      RUSTC_WRAPPER: /home/runner/.cargo/bin/sccache
+
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v4
+
+      - name: Setup test bucket
+        # AWS credentials for aws command
+        env:
+          AWS_ACCESS_KEY_ID: minioadmin
+          AWS_SECRET_ACCESS_KEY: minioadmin
+        run: aws --endpoint-url http://127.0.0.1:9000/ s3 mb s3://test
+
+      - name: Install rust
+        uses: ./.github/actions/rust-toolchain
+        with:
+          toolchain: "stable"
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: integration-tests
+          path: /home/runner/.cargo/bin/
+      - name: Chmod for binary
+        run: chmod +x ${SCCACHE_PATH}
+
+      - name: Test
+        run: cargo clean && cargo build
+
+      - name: Output
+        run: |
+          ${SCCACHE_PATH} --show-stats
+
+          ${SCCACHE_PATH} --show-stats | grep s3
+
+      - name: Test Twice for Cache Read
+        run: cargo clean && cargo build
+
+      - name: Output
+        run: |
+          ${SCCACHE_PATH} --show-stats
+
+          ${SCCACHE_PATH} --show-stats | grep -e "Cache hits\s*[1-9]"
+
   azblob_azurite:
     runs-on: ubuntu-latest
     needs: build

diff --git a/docs/Configuration.md b/docs/Configuration.md
@@ -92,6 +92,8 @@ endpoint = "s3-us-east-1.amazonaws.com"
 use_ssl = true
 key_prefix = "s3prefix"
 server_side_encryption = false
+access_key_id = "aws_access_key_id"
+secret_access_key = "aws_secret_access_key"
 
 [cache.webdav]
 endpoint = "http://192.168.10.42:80/some/webdav.php"
@@ -154,6 +156,8 @@ configuration variables
 * `SCCACHE_REGION` s3 region, required if using AWS S3
 * `SCCACHE_S3_USE_SSL` s3 endpoint requires TLS, set this to `true`
 * `SCCACHE_S3_KEY_PREFIX` s3 key prefix (optional)
+* `SCCACHE_AWS_ACCESS_KEY_ID` AWS access key (optional). If not specified, sccache will attempt to load credentials from other sources (see [S3 credentials](S3.md#credentials))
+* `SCCACHE_AWS_SECRET_ACCESS_KEY` AWS secret key (optional). If not specified, sccache will attempt to load credentials from other sources (see [S3 credentials](S3.md#credentials))
 
 The endpoint used then becomes `${SCCACHE_BUCKET}.s3-{SCCACHE_REGION}.amazonaws.com`.
 If you are not using the default endpoint and `SCCACHE_REGION` is undefined, it

diff --git a/docs/S3.md b/docs/S3.md
@@ -23,7 +23,9 @@ Cloudflare R2 is an S3-compatible object storage and works with the same configu
 
 ## Credentials
 
-Sccache is able to load credentials from various sources. Including:
+You can specify credentials using environment variables (`SCCACHE_AWS_ACCESS_KEY_ID` and `SCCACHE_AWS_SECRET_ACCESS_KEY`) or [file configuration](Configuration.md#file) (`access_key_id` and `secret_access_key`).
+
+If credentials are not specified, sccache will attempt to load credentials from various other sources, including:
 
 - Static: `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
 - Profile: `~/.aws/credentials` and `~/.aws/config`. The AWS_PROFILE environment variable can be used to select a specific profile if multiple profiles are available.

diff --git a/src/cache/cache.rs b/src/cache/cache.rs
@@ -689,6 +689,8 @@ pub fn storage_from_config(
                     c.endpoint.as_deref(),
                     c.use_ssl,
                     c.server_side_encryption,
+                    c.access_key_id.as_deref(),
+                    c.secret_access_key.as_deref(),
                 )
                 .map_err(|err| anyhow!("create s3 cache failed: {err:?}"))?;
 

diff --git a/src/cache/s3.rs b/src/cache/s3.rs
@@ -21,6 +21,7 @@ use super::http_client::set_user_agent;
 pub struct S3Cache;
 
 impl S3Cache {
+    #[allow(clippy::too_many_arguments)]
     pub fn build(
         bucket: &str,
         region: Option<&str>,
@@ -29,12 +30,25 @@ impl S3Cache {
         endpoint: Option<&str>,
         use_ssl: Option<bool>,
         server_side_encryption: Option<bool>,
+        access_key_id: Option<&str>,
+        secret_access_key: Option<&str>,
     ) -> Result<Operator> {
         let mut builder = S3::default()
             .http_client(set_user_agent())
             .bucket(bucket)
             .root(key_prefix);
 
+        match (access_key_id, secret_access_key) {
+            (Some(access_key_id), Some(secret_access_key)) => {
+                builder.access_key_id(access_key_id);
+                builder.secret_access_key(secret_access_key);
+            }
+            (None, None) => (),
+            _ => {
+                bail!("Both access_key_id and secret_access_key must be set or both must be unset.")
+            }
+        }
+
         if let Some(region) = region {
             builder = builder.region(region);
         }

diff --git a/src/config.rs b/src/config.rs
@@ -315,6 +315,8 @@ pub struct S3CacheConfig {
     pub endpoint: Option<String>,
     pub use_ssl: Option<bool>,
     pub server_side_encryption: Option<bool>,
+    pub access_key_id: Option<String>,
+    pub secret_access_key: Option<String>,
 }
 
 #[derive(Debug, PartialEq, Eq, Serialize, Deserialize)]
@@ -640,6 +642,13 @@ fn config_from_env() -> Result<EnvConfig> {
         let server_side_encryption = bool_from_env_var("SCCACHE_S3_SERVER_SIDE_ENCRYPTION")?;
         let endpoint = env::var("SCCACHE_ENDPOINT").ok();
         let key_prefix = key_prefix_from_env_var("SCCACHE_S3_KEY_PREFIX");
+        let access_key_id = env::var("SCCACHE_AWS_ACCESS_KEY_ID").ok();
+        let secret_access_key = env::var("SCCACHE_AWS_SECRET_ACCESS_KEY").ok();
+
+        match (&access_key_id, &secret_access_key) {
+            (Some(_), Some(_)) | (None, None) => (),
+            _ => bail!("Both SCCACHE_AWS_ACCESS_KEY_ID and SCCACHE_AWS_SECRET_ACCESS_KEY must be set or both must be unset."),
+        }
 
         Some(S3CacheConfig {
             bucket,
@@ -649,14 +658,18 @@ fn config_from_env() -> Result<EnvConfig> {
             endpoint,
             use_ssl,
             server_side_encryption,
+            access_key_id,
+            secret_access_key,
         })
     } else {
         None
     };
 
     if s3.as_ref().map(|s3| s3.no_credentials).unwrap_or_default()
         && (env::var_os("AWS_ACCESS_KEY_ID").is_some()
-            || env::var_os("AWS_SECRET_ACCESS_KEY").is_some())
+            || env::var_os("AWS_SECRET_ACCESS_KEY").is_some()
+            || env::var_os("SCCACHE_AWS_ACCESS_KEY_ID").is_some()
+            || env::var_os("SCCACHE_AWS_SECRET_ACCESS_KEY").is_some())
     {
         bail!("If setting S3 credentials, SCCACHE_S3_NO_CREDENTIALS must not be set.");
     }
@@ -1307,6 +1320,26 @@ fn config_overrides() {
     );
 }
 
+#[test]
+#[serial]
+fn test_s3_no_credentials_conflict_0() {
+    env::set_var("SCCACHE_S3_NO_CREDENTIALS", "true");
+    env::set_var("SCCACHE_BUCKET", "my-bucket");
+    env::set_var("SCCACHE_AWS_ACCESS_KEY_ID", "aws-access-key-id");
+    env::set_var("SCCACHE_AWS_SECRET_ACCESS_KEY", "aws-secret-access-key");
+
+    let error = config_from_env().unwrap_err();
+    assert_eq!(
+        "If setting S3 credentials, SCCACHE_S3_NO_CREDENTIALS must not be set.",
+        error.to_string()
+    );
+
+    env::remove_var("SCCACHE_S3_NO_CREDENTIALS");
+    env::remove_var("SCCACHE_BUCKET");
+    env::remove_var("SCCACHE_AWS_ACCESS_KEY_ID");
+    env::remove_var("SCCACHE_AWS_SECRET_ACCESS_KEY");
+}
+
 #[test]
 #[serial]
 #[cfg(feature = "s3")]
@@ -1492,8 +1525,10 @@ region = "us-east-2"
 endpoint = "s3-us-east-1.amazonaws.com"
 use_ssl = true
 key_prefix = "s3prefix"
-no_credentials = true
+no_credentials = false
 server_side_encryption = false
+access_key_id = "some_access_key_id"
+secret_access_key = "some_secret_access_key"
 
 [cache.webdav]
 endpoint = "http://127.0.0.1:8080"
@@ -1556,8 +1591,10 @@ no_credentials = true
                     endpoint: Some("s3-us-east-1.amazonaws.com".to_owned()),
                     use_ssl: Some(true),
                     key_prefix: "s3prefix".into(),
-                    no_credentials: true,
-                    server_side_encryption: Some(false)
+                    no_credentials: false,
+                    server_side_encryption: Some(false),
+                    access_key_id: Some("some_access_key_id".to_owned()),
+                    secret_access_key: Some("some_secret_access_key".to_owned()),
                 }),
                 webdav: Some(WebdavCacheConfig {
                     endpoint: "http://127.0.0.1:8080".to_string(),