#[error("Missing bucket name")]

MissingBucketName,

#[error("Missing AccessKeyId")]

MissingAccessKeyId,

#[error("Missing SecretAccessKey")]

MissingSecretAccessKey,

#[error("Unable parse source url. Url: {}, Error: {}", url, source)]

UnableToParseUrl {

source: url::ParseError,

url: String,

},

#[error(

UnknownUrlScheme { scheme: String },

#[error("URL did not match any known pattern for scheme: {}", url)]

UrlNotRecognised { url: String },

#[error("Configuration key: '{}' is not known.", key)]

UnknownConfigurationKey { key: String },

#[error("Invalid Zone suffix for bucket '{bucket}'")]

ZoneSuffix { bucket: String },

#[error(

InvalidEncryptionType { passed: String },

#[error(

InvalidEncryptionHeader {

header: &'static str,

source: Box<dyn std::error::Error + Send + Sync + 'static>,

},

match source {

Error::UnknownConfigurationKey { key } => {

Self::UnknownConfigurationKey { store: STORE, key }

}

_ => Self::Generic {

store: STORE,

source: Box::new(source),

},

}

/// Access key id

access_key_id: Option<String>,

/// Secret access_key

secret_access_key: Option<String>,

/// Region

region: Option<String>,

/// Bucket name

bucket_name: Option<String>,

/// Endpoint for communicating with AWS S3

endpoint: Option<String>,

/// Service-specific S3 endpoint URL (takes precedence over endpoint)

s3_endpoint: Option<String>,

/// Token to use for requests

token: Option<String>,

/// Url

url: Option<String>,

/// Retry config

retry_config: RetryConfig,

/// When set to true, fallback to IMDSv1

imdsv1_fallback: ConfigValue<bool>,

/// When set to true, virtual hosted style request has to be used

virtual_hosted_style_request: ConfigValue<bool>,

/// When set to true, S3 express is used

s3_express: ConfigValue<bool>,

/// When set to true, unsigned payload option has to be used

unsigned_payload: ConfigValue<bool>,

/// Checksum algorithm which has to be used for object integrity check during upload

checksum_algorithm: Option<ConfigValue<Checksum>>,

/// Metadata endpoint, see <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html>

metadata_endpoint: Option<String>,

/// Container credentials URL, see <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html>

container_credentials_relative_uri: Option<String>,

/// Container credentials full URL, see <https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html>

container_credentials_full_uri: Option<String>,

/// Container authorization token file, see <https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html>

container_authorization_token_file: Option<String>,

/// Web identity token file path for AssumeRoleWithWebIdentity

web_identity_token_file: Option<String>,

/// Role ARN to assume when using web identity token

role_arn: Option<String>,

/// Session name for web identity role assumption

role_session_name: Option<String>,

/// Custom STS endpoint for web identity token exchange

sts_endpoint: Option<String>,

/// Client options

client_options: ClientOptions,

/// Credentials

credentials: Option<AwsCredentialProvider>,

/// Skip signing requests

skip_signature: ConfigValue<bool>,

/// Copy if not exists

copy_if_not_exists: Option<ConfigValue<S3CopyIfNotExists>>,

/// Put precondition

conditional_put: ConfigValue<S3ConditionalPut>,

/// Ignore tags

disable_tagging: ConfigValue<bool>,

/// Encryption (See [`S3EncryptionConfigKey`])

encryption_type: Option<ConfigValue<S3EncryptionType>>,

encryption_kms_key_id: Option<String>,

encryption_bucket_key_enabled: Option<ConfigValue<bool>>,

/// base64-encoded 256-bit customer encryption key for SSE-C.

encryption_customer_key_base64: Option<String>,

/// When set to true, charge requester for bucket operations

request_payer: ConfigValue<RequesterPayer>,

/// The [`HttpConnector`] to use

http_connector: Option<Arc<dyn HttpConnector>>,

/// AWS Access Key

///

/// See [`AmazonS3Builder::with_access_key_id`] for details.

///

/// Supported keys:

/// - `aws_access_key_id`

/// - `access_key_id`

AccessKeyId,

/// Secret Access Key

///

/// See [`AmazonS3Builder::with_secret_access_key`] for details.

///

/// Supported keys:

/// - `aws_secret_access_key`

/// - `secret_access_key`

SecretAccessKey,

/// Region

///

/// See [`AmazonS3Builder::with_region`] for details.

///

/// Supported keys:

/// - `aws_region`

/// - `region`

Region,

/// Default region

///

/// See [`AmazonS3Builder::with_region`] for details.

///

/// Supported keys:

/// - `aws_default_region`

/// - `default_region`

DefaultRegion,

/// Bucket name

///

/// See [`AmazonS3Builder::with_bucket_name`] for details.

///

/// Supported keys:

/// - `aws_bucket`

/// - `aws_bucket_name`

/// - `bucket`

/// - `bucket_name`

Bucket,

/// Sets custom endpoint for communicating with AWS S3.

///

/// See [`AmazonS3Builder::with_endpoint`] for details.

///

/// Supported keys:

/// - `aws_endpoint`

/// - `aws_endpoint_url`

/// - `endpoint`

/// - `endpoint_url`

Endpoint,

/// Service-specific S3 endpoint URL

///

/// When set, takes precedence over [`Endpoint`](Self::Endpoint) in the build method.

///

/// Supported keys:

/// - `aws_endpoint_url_s3`

S3Endpoint,

/// Token to use for requests (passed to underlying provider)

///

/// See [`AmazonS3Builder::with_token`] for details.

///

/// Supported keys:

/// - `aws_session_token`

/// - `aws_token`

/// - `session_token`

/// - `token`

Token,

/// Fall back to ImdsV1

///

/// See [`AmazonS3Builder::with_imdsv1_fallback`] for details.

///

/// Supported keys:

/// - `aws_imdsv1_fallback`

/// - `imdsv1_fallback`

ImdsV1Fallback,

/// If virtual hosted style request has to be used

///

/// See [`AmazonS3Builder::with_virtual_hosted_style_request`] for details.

///

/// Supported keys:

/// - `aws_virtual_hosted_style_request`

/// - `virtual_hosted_style_request`

VirtualHostedStyleRequest,

/// Avoid computing payload checksum when calculating signature.

///

/// See [`AmazonS3Builder::with_unsigned_payload`] for details.

///

/// Supported keys:

/// - `aws_unsigned_payload`

/// - `unsigned_payload`

UnsignedPayload,

/// Set the checksum algorithm for this client

///

/// See [`AmazonS3Builder::with_checksum_algorithm`] for details.

Checksum,

/// Set the instance metadata endpoint

///

/// See [`AmazonS3Builder::with_metadata_endpoint`] for details.

///

/// Supported keys:

/// - `aws_metadata_endpoint`

/// - `metadata_endpoint`

MetadataEndpoint,

/// Set the container credentials relative URI when used in ECS

///

/// <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html>

///

/// Supported keys:

/// - `aws_container_credentials_relative_uri`

/// - `container_credentials_relative_uri`

///

/// Example: `/v2/credentials/abc123`

ContainerCredentialsRelativeUri,

/// Set the container credentials full URI when used in EKS

///

/// <https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html>

///

/// Supported keys:

/// - `aws_container_credentials_full_uri`

/// - `container_credentials_full_uri`

///

/// Example: `http://169.254.170.2/v2/credentials/abc123`

ContainerCredentialsFullUri,

/// Set the authorization token in plain text when used in EKS to authenticate with ContainerCredentialsFullUri

///

/// <https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html>

///

/// Supported keys:

/// - `aws_container_authorization_token_file`

/// - `container_authorization_token_file`

///

/// Example: `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`

ContainerAuthorizationTokenFile,

/// Web identity token file path for AssumeRoleWithWebIdentity

///

/// Supported keys:

/// - `aws_web_identity_token_file`

/// - `web_identity_token_file`

///

/// Example: `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`

WebIdentityTokenFile,

/// Role ARN to assume when using web identity token

///

/// Supported keys:

/// - `aws_role_arn`

/// - `role_arn`

///

/// Example: `arn:aws:iam::123456789012:role/MyWebIdentityRole`

RoleArn,

/// Session name for web identity role assumption

///

/// Supported keys:

/// - `aws_role_session_name`

/// - `role_session_name`

RoleSessionName,

/// Custom STS endpoint for web identity token exchange

///

/// Defaults to `https://sts.{region}.amazonaws.com`

///

/// Supported keys:

/// - `aws_endpoint_url_sts`

/// - `endpoint_url_sts`

StsEndpoint,

/// Configure how to provide `copy_if_not_exists`

///

/// See [`S3CopyIfNotExists`] for details.

///

/// Supported keys:

/// - `aws_copy_if_not_exists`

/// - `copy_if_not_exists`

CopyIfNotExists,

/// Configure how to provide conditional put operations

///

/// See [`S3ConditionalPut`] for details.

///

/// Supported keys:

/// - `aws_conditional_put`

/// - `conditional_put`

ConditionalPut,

/// Skip signing request

///

/// See [`AmazonS3Builder::with_skip_signature`] for details.

///

/// Supported keys:

/// - `aws_skip_signature`

/// - `skip_signature`

SkipSignature,

/// Disable tagging objects

///

/// If set to `true` will ignore any tags provided to [`put_opts`](crate::ObjectStore::put_opts).

/// This can be desirable if not supported by the backing store

///

/// Supported keys:

/// - `aws_disable_tagging`

/// - `disable_tagging`

DisableTagging,

/// Enable Support for S3 Express One Zone

///

/// Supported keys:

/// - `aws_s3_express`

/// - `s3_express`

S3Express,

/// Enable Support for S3 Requester Pays

///

/// Supported keys:

/// - `aws_request_payer`

/// - `request_payer`

RequestPayer,

/// Client options

Client(ClientConfigKey),

/// Encryption options

Encryption(S3EncryptionConfigKey),

fn as_ref(&self) -> &str {

match self {

Self::AccessKeyId => "aws_access_key_id",

Self::SecretAccessKey => "aws_secret_access_key",

Self::Region => "aws_region",

Self::Bucket => "aws_bucket",

Self::Endpoint => "aws_endpoint",

Self::S3Endpoint => "aws_endpoint_url_s3",

Self::Token => "aws_session_token",

Self::ImdsV1Fallback => "aws_imdsv1_fallback",

Self::VirtualHostedStyleRequest => "aws_virtual_hosted_style_request",

Self::S3Express => "aws_s3_express",

Self::DefaultRegion => "aws_default_region",

Self::MetadataEndpoint => "aws_metadata_endpoint",

Self::UnsignedPayload => "aws_unsigned_payload",

Self::Checksum => "aws_checksum_algorithm",

Self::ContainerCredentialsRelativeUri => "aws_container_credentials_relative_uri",

Self::ContainerCredentialsFullUri => "aws_container_credentials_full_uri",

Self::ContainerAuthorizationTokenFile => "aws_container_authorization_token_file",

Self::WebIdentityTokenFile => "aws_web_identity_token_file",

Self::RoleArn => "aws_role_arn",

Self::RoleSessionName => "aws_role_session_name",

Self::StsEndpoint => "aws_endpoint_url_sts",

Self::SkipSignature => "aws_skip_signature",

Self::CopyIfNotExists => "aws_copy_if_not_exists",

Self::ConditionalPut => "aws_conditional_put",

Self::DisableTagging => "aws_disable_tagging",

Self::RequestPayer => "aws_request_payer",

Self::Client(opt) => opt.as_ref(),

Self::Encryption(opt) => opt.as_ref(),

}

}

type Err = crate::Error;

fn from_str(s: &str) -> Result<Self, Self::Err> {

match s {

"aws_access_key_id" | "access_key_id" => Ok(Self::AccessKeyId),

"aws_secret_access_key" | "secret_access_key" => Ok(Self::SecretAccessKey),

"aws_default_region" | "default_region" => Ok(Self::DefaultRegion),

"aws_region" | "region" => Ok(Self::Region),

"aws_bucket" | "aws_bucket_name" | "bucket_name" | "bucket" => Ok(Self::Bucket),

"aws_endpoint_url" | "aws_endpoint" | "endpoint_url" | "endpoint" => Ok(Self::Endpoint),

"aws_endpoint_url_s3" => Ok(Self::S3Endpoint),

"aws_session_token" | "aws_token" | "session_token" | "token" => Ok(Self::Token),

"aws_virtual_hosted_style_request" | "virtual_hosted_style_request" => {

Ok(Self::VirtualHostedStyleRequest)

}

"aws_s3_express" | "s3_express" => Ok(Self::S3Express),

"aws_imdsv1_fallback" | "imdsv1_fallback" => Ok(Self::ImdsV1Fallback),

"aws_metadata_endpoint" | "metadata_endpoint" => Ok(Self::MetadataEndpoint),

"aws_unsigned_payload" | "unsigned_payload" => Ok(Self::UnsignedPayload),

"aws_checksum_algorithm" | "checksum_algorithm" => Ok(Self::Checksum),

"aws_container_credentials_relative_uri" | "container_credentials_relative_uri" => {

Ok(Self::ContainerCredentialsRelativeUri)

}

"aws_container_credentials_full_uri" | "container_credentials_full_uri" => {

Ok(Self::ContainerCredentialsFullUri)

}

"aws_container_authorization_token_file" | "container_authorization_token_file" => {

Ok(Self::ContainerAuthorizationTokenFile)

}

"aws_web_identity_token_file" | "web_identity_token_file" => {

Ok(Self::WebIdentityTokenFile)

}

"aws_role_arn" | "role_arn" => Ok(Self::RoleArn),

"aws_role_session_name" | "role_session_name" => Ok(Self::RoleSessionName),

"aws_endpoint_url_sts" | "endpoint_url_sts" => Ok(Self::StsEndpoint),

"aws_skip_signature" | "skip_signature" => Ok(Self::SkipSignature),

"aws_copy_if_not_exists" | "copy_if_not_exists" => Ok(Self::CopyIfNotExists),

"aws_conditional_put" | "conditional_put" => Ok(Self::ConditionalPut),

"aws_disable_tagging" | "disable_tagging" => Ok(Self::DisableTagging),

"aws_request_payer" | "request_payer" => Ok(Self::RequestPayer),

// Backwards compatibility

"aws_allow_http" => Ok(Self::Client(ClientConfigKey::AllowHttp)),

"aws_server_side_encryption" | "server_side_encryption" => Ok(Self::Encryption(

S3EncryptionConfigKey::ServerSideEncryption,

)),

"aws_sse_kms_key_id" | "sse_kms_key_id" => {

Ok(Self::Encryption(S3EncryptionConfigKey::KmsKeyId))

}

"aws_sse_bucket_key_enabled" | "sse_bucket_key_enabled" => {

Ok(Self::Encryption(S3EncryptionConfigKey::BucketKeyEnabled))

}

"aws_sse_customer_key_base64" | "sse_customer_key_base64" => Ok(Self::Encryption(

S3EncryptionConfigKey::CustomerEncryptionKey,

)),

_ => match s.strip_prefix("aws_").unwrap_or(s).parse() {

Ok(key) => Ok(Self::Client(key)),

Err(_) => Err(Error::UnknownConfigurationKey { key: s.into() }.into()),

},

}

}

/// Create a new [`AmazonS3Builder`] with default values.

pub fn new() -> Self {

Default::default()

}

/// Fill the [`AmazonS3Builder`] with regular AWS environment variables

///

/// All environment variables starting with `AWS_` will be evaluated.

/// Names must match acceptable input to [`AmazonS3ConfigKey::from_str`].

///

/// Some examples of variables extracted from environment:

/// * `AWS_ACCESS_KEY_ID` -> access_key_id

/// * `AWS_SECRET_ACCESS_KEY` -> secret_access_key

/// * `AWS_DEFAULT_REGION` -> region

/// * `AWS_ENDPOINT` -> endpoint

/// * `AWS_ENDPOINT_URL_S3` -> s3_endpoint (takes precedence over endpoint in build)

/// * `AWS_SESSION_TOKEN` -> token

/// * `AWS_WEB_IDENTITY_TOKEN_FILE` -> path to file containing web identity token for AssumeRoleWithWebIdentity

/// * `AWS_ROLE_ARN` -> ARN of the role to assume when using web identity token

/// * `AWS_ROLE_SESSION_NAME` -> optional session name for web identity role assumption (defaults to "WebIdentitySession")

/// * `AWS_ENDPOINT_URL_STS` -> optional custom STS endpoint for web identity token exchange (defaults to "https://sts.{region}.amazonaws.com")

/// * `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` -> <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html>

/// * `AWS_CONTAINER_CREDENTIALS_FULL_URI` -> <https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html>

/// * `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` -> <https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html>

/// * `AWS_ALLOW_HTTP` -> set to "true" to permit HTTP connections without TLS

/// * `AWS_REQUEST_PAYER` -> set to "requester" or "true" to permit operations on requester-pays buckets.

///

/// # Example

/// ```

/// use object_store::aws::AmazonS3Builder;

///

/// let s3 = AmazonS3Builder::from_env()

/// .with_bucket_name("foo")

/// .build();

/// ```

pub fn from_env() -> Self {

let mut builder: Self = Default::default();

for (os_key, os_value) in std::env::vars_os() {

if let (Some(key), Some(value)) = (os_key.to_str(), os_value.to_str()) {

if key.starts_with("AWS_") {

if let Ok(config_key) = key.to_ascii_lowercase().parse() {

builder = builder.with_config(config_key, value);

}

}

}

}

builder

}

/// Parse available connection info form a well-known storage URL.

///

/// The supported url schemes are:

///

/// - `s3://<bucket>/<path>`

/// - `s3a://<bucket>/<path>`

/// - `https://s3.<region>.amazonaws.com/<bucket>`

/// - `https://<bucket>.s3.<region>.amazonaws.com`

/// - `https://ACCOUNT_ID.r2.cloudflarestorage.com/bucket`

///

/// Note: Settings derived from the URL will override any others set on this builder

///

/// # Example

/// ```

/// use object_store::aws::AmazonS3Builder;

///

/// let s3 = AmazonS3Builder::from_env()

/// .with_url("s3://bucket/path")

/// .build();

/// ```

pub fn with_url(mut self, url: impl Into<String>) -> Self {

self.url = Some(url.into());

self

}

/// Set an option on the builder via a key - value pair.

pub fn with_config(mut self, key: AmazonS3ConfigKey, value: impl Into<String>) -> Self {

match key {

AmazonS3ConfigKey::AccessKeyId => self.access_key_id = Some(value.into()),

AmazonS3ConfigKey::SecretAccessKey => self.secret_access_key = Some(value.into()),

AmazonS3ConfigKey::Region => self.region = Some(value.into()),

AmazonS3ConfigKey::Bucket => self.bucket_name = Some(value.into()),

AmazonS3ConfigKey::Endpoint => self.endpoint = Some(value.into()),

AmazonS3ConfigKey::S3Endpoint => self.s3_endpoint = Some(value.into()),

AmazonS3ConfigKey::Token => self.token = Some(value.into()),

AmazonS3ConfigKey::ImdsV1Fallback => self.imdsv1_fallback.parse(value),

AmazonS3ConfigKey::VirtualHostedStyleRequest => {

self.virtual_hosted_style_request.parse(value)

}

AmazonS3ConfigKey::S3Express => self.s3_express.parse(value),

AmazonS3ConfigKey::DefaultRegion => {

self.region = self.region.or_else(|| Some(value.into()))

}

AmazonS3ConfigKey::MetadataEndpoint => self.metadata_endpoint = Some(value.into()),

AmazonS3ConfigKey::UnsignedPayload => self.unsigned_payload.parse(value),

AmazonS3ConfigKey::Checksum => {

self.checksum_algorithm = Some(ConfigValue::Deferred(value.into()))

}

AmazonS3ConfigKey::ContainerCredentialsRelativeUri => {

self.container_credentials_relative_uri = Some(value.into())

}

AmazonS3ConfigKey::ContainerCredentialsFullUri => {

self.container_credentials_full_uri = Some(value.into());

}

AmazonS3ConfigKey::ContainerAuthorizationTokenFile => {

self.container_authorization_token_file = Some(value.into());

}

AmazonS3ConfigKey::WebIdentityTokenFile => {

self.web_identity_token_file = Some(value.into());

}

AmazonS3ConfigKey::RoleArn => {

self.role_arn = Some(value.into());

}

AmazonS3ConfigKey::RoleSessionName => {

self.role_session_name = Some(value.into());

}

AmazonS3ConfigKey::StsEndpoint => {

self.sts_endpoint = Some(value.into());

}

AmazonS3ConfigKey::Client(key) => {

self.client_options = self.client_options.with_config(key, value)

}

AmazonS3ConfigKey::SkipSignature => self.skip_signature.parse(value),

AmazonS3ConfigKey::DisableTagging => self.disable_tagging.parse(value),

AmazonS3ConfigKey::CopyIfNotExists => {

self.copy_if_not_exists = Some(ConfigValue::Deferred(value.into()))

}

AmazonS3ConfigKey::ConditionalPut => {

self.conditional_put = ConfigValue::Deferred(value.into())

}

AmazonS3ConfigKey::RequestPayer => self.request_payer.parse(value),

AmazonS3ConfigKey::Encryption(key) => match key {

S3EncryptionConfigKey::ServerSideEncryption => {

self.encryption_type = Some(ConfigValue::Deferred(value.into()))

}

S3EncryptionConfigKey::KmsKeyId => self.encryption_kms_key_id = Some(value.into()),

S3EncryptionConfigKey::BucketKeyEnabled => {

self.encryption_bucket_key_enabled = Some(ConfigValue::Deferred(value.into()))

}

S3EncryptionConfigKey::CustomerEncryptionKey => {

self.encryption_customer_key_base64 = Some(value.into())

}

},

};

self

}

/// Get config value via a [`AmazonS3ConfigKey`].

///

/// # Example

/// ```

/// use object_store::aws::{AmazonS3Builder, AmazonS3ConfigKey};

///

/// let builder = AmazonS3Builder::from_env()

/// .with_bucket_name("foo");

/// let bucket_name = builder.get_config_value(&AmazonS3ConfigKey::Bucket).unwrap_or_default();

/// assert_eq!("foo", &bucket_name);

/// ```

pub fn get_config_value(&self, key: &AmazonS3ConfigKey) -> Option<String> {

match key {

AmazonS3ConfigKey::AccessKeyId => self.access_key_id.clone(),

AmazonS3ConfigKey::SecretAccessKey => self.secret_access_key.clone(),

AmazonS3ConfigKey::Region | AmazonS3ConfigKey::DefaultRegion => self.region.clone(),

AmazonS3ConfigKey::Bucket => self.bucket_name.clone(),

AmazonS3ConfigKey::Endpoint => self.endpoint.clone(),

AmazonS3ConfigKey::S3Endpoint => self.s3_endpoint.clone(),

AmazonS3ConfigKey::Token => self.token.clone(),

AmazonS3ConfigKey::ImdsV1Fallback => Some(self.imdsv1_fallback.to_string()),

AmazonS3ConfigKey::VirtualHostedStyleRequest => {

Some(self.virtual_hosted_style_request.to_string())

}

AmazonS3ConfigKey::S3Express => Some(self.s3_express.to_string()),

AmazonS3ConfigKey::MetadataEndpoint => self.metadata_endpoint.clone(),

AmazonS3ConfigKey::UnsignedPayload => Some(self.unsigned_payload.to_string()),

AmazonS3ConfigKey::Checksum => {

self.checksum_algorithm.as_ref().map(ToString::to_string)

}

AmazonS3ConfigKey::Client(key) => self.client_options.get_config_value(key),

AmazonS3ConfigKey::ContainerCredentialsRelativeUri => {

self.container_credentials_relative_uri.clone()

}

AmazonS3ConfigKey::ContainerCredentialsFullUri => {

self.container_credentials_full_uri.clone()

}

AmazonS3ConfigKey::ContainerAuthorizationTokenFile => {

self.container_authorization_token_file.clone()

}

AmazonS3ConfigKey::WebIdentityTokenFile => self.web_identity_token_file.clone(),

AmazonS3ConfigKey::RoleArn => self.role_arn.clone(),

AmazonS3ConfigKey::RoleSessionName => self.role_session_name.clone(),

AmazonS3ConfigKey::StsEndpoint => self.sts_endpoint.clone(),

AmazonS3ConfigKey::SkipSignature => Some(self.skip_signature.to_string()),

AmazonS3ConfigKey::CopyIfNotExists => {

self.copy_if_not_exists.as_ref().map(ToString::to_string)

}

AmazonS3ConfigKey::ConditionalPut => Some(self.conditional_put.to_string()),

AmazonS3ConfigKey::DisableTagging => Some(self.disable_tagging.to_string()),

AmazonS3ConfigKey::RequestPayer => Some(self.request_payer.to_string()),

AmazonS3ConfigKey::Encryption(key) => match key {

S3EncryptionConfigKey::ServerSideEncryption => {

self.encryption_type.as_ref().map(ToString::to_string)

}

S3EncryptionConfigKey::KmsKeyId => self.encryption_kms_key_id.clone(),

S3EncryptionConfigKey::BucketKeyEnabled => self

.encryption_bucket_key_enabled

.as_ref()

.map(ToString::to_string),

S3EncryptionConfigKey::CustomerEncryptionKey => {

self.encryption_customer_key_base64.clone()

}

},

}

}

/// Sets properties on this builder based on a URL

///

/// This is a separate member function to allow fallible computation to

/// be deferred until [`Self::build`] which in turn allows deriving [`Clone`]

fn parse_url(&mut self, url: &str) -> Result<()> {

let parsed = Url::parse(url).map_err(|source| {

let url = url.into();

Error::UnableToParseUrl { url, source }

})?;

let host = parsed

.host_str()

.ok_or_else(|| Error::UrlNotRecognised { url: url.into() })?;

match parsed.scheme() {

"s3" | "s3a" => self.bucket_name = Some(host.to_string()),

"https" => match host.splitn(4, '.').collect_tuple() {

Some(("s3", region, "amazonaws", "com")) => {

self.region = Some(region.to_string());

let bucket = parsed.path_segments().into_iter().flatten().next();

if let Some(bucket) = bucket {

self.bucket_name = Some(bucket.into());

}

}

Some((bucket, "s3", "amazonaws", "com")) => {

self.bucket_name = Some(bucket.to_string());

self.virtual_hosted_style_request = true.into();

}

Some((bucket, "s3", region, "amazonaws.com")) => {

self.bucket_name = Some(bucket.to_string());

self.region = Some(region.to_string());

self.virtual_hosted_style_request = true.into();

}

Some((account, "r2", "cloudflarestorage", "com")) => {

self.region = Some("auto".to_string());

let endpoint = format!("https://{account}.r2.cloudflarestorage.com");

self.endpoint = Some(endpoint);

let bucket = parsed.path_segments().into_iter().flatten().next();

if let Some(bucket) = bucket {

self.bucket_name = Some(bucket.into());

}

}

_ => return Err(Error::UrlNotRecognised { url: url.into() }.into()),

},

scheme => {

let scheme = scheme.into();

return Err(Error::UnknownUrlScheme { scheme }.into());

}

};

Ok(())

}

/// Set the AWS Access Key

///

/// Examples: `AKIAIOSFODNN7EXAMPLE`, `ASIA4ZP5EXAMPLETOKEN`

pub fn with_access_key_id(mut self, access_key_id: impl Into<String>) -> Self {

self.access_key_id = Some(access_key_id.into());

self

}

/// Set the AWS Secret Access Key

pub fn with_secret_access_key(mut self, secret_access_key: impl Into<String>) -> Self {

self.secret_access_key = Some(secret_access_key.into());

self

}

/// Set the AWS Session Token to use for requests

///

/// Should not be used in combination with [`Self::with_allow_http`].

pub fn with_token(mut self, token: impl Into<String>) -> Self {

self.token = Some(token.into());

self

}

/// Set the region, defaults to `us-east-1`

pub fn with_region(mut self, region: impl Into<String>) -> Self {

self.region = Some(region.into());

self

}

/// Set the bucket_name (required)

pub fn with_bucket_name(mut self, bucket_name: impl Into<String>) -> Self {

self.bucket_name = Some(bucket_name.into());

self

}

/// Sets the endpoint for communicating with AWS S3.

///

/// Defaults to the [region endpoint]. See [`Self::with_region`] for further details.

///

/// For example, this might be set to `"http://localhost:4566:`

/// for testing against a localstack instance.

///

/// The `endpoint` field should be consistent with [`Self::with_virtual_hosted_style_request`].

/// I.e. if `virtual_hosted_style_request` is set to true then `endpoint`

/// should have the bucket name included.

///

/// By default, only HTTPS schemes are enabled.

/// To connect to an HTTP endpoint, enable [`Self::with_allow_http`].

///

/// [region endpoint]: https://docs.aws.amazon.com/general/latest/gr/s3.html

pub fn with_endpoint(mut self, endpoint: impl Into<String>) -> Self {

self.endpoint = Some(endpoint.into());

self

}

/// Set the credential provider overriding any other options

pub fn with_credentials(mut self, credentials: AwsCredentialProvider) -> Self {

self.credentials = Some(credentials);

self

}

/// Sets what protocol is allowed.

///

/// If `allow_http` is :

/// * false (default): Only HTTPS are allowed

/// * true: HTTP and HTTPS are allowed

///

/// <div class="warning">

///

/// **Warning**

///

/// If you enable this option, attackers may be able to read the data you request.

///

/// </div>

pub fn with_allow_http(mut self, allow_http: bool) -> Self {

self.client_options = self.client_options.with_allow_http(allow_http);

self

}

/// Sets if virtual hosted style request has to be used.

///

/// If `virtual_hosted_style_request` is:

/// * false (default): Path style request is used

/// * true: Virtual hosted style request is used

///

/// If the `endpoint` is provided then it should be

/// consistent with `virtual_hosted_style_request`.

/// I.e. if `virtual_hosted_style_request` is set to true

/// then `endpoint` should have bucket name included.

pub fn with_virtual_hosted_style_request(mut self, virtual_hosted_style_request: bool) -> Self {

self.virtual_hosted_style_request = virtual_hosted_style_request.into();

self

}

/// Configure this as an S3 Express One Zone Bucket

pub fn with_s3_express(mut self, s3_express: bool) -> Self {

self.s3_express = s3_express.into();

self

}

/// Set the retry configuration

pub fn with_retry(mut self, retry_config: RetryConfig) -> Self {

self.retry_config = retry_config;

self

}

/// By default instance credentials will only be fetched over [IMDSv2], as AWS recommends

/// against having IMDSv1 enabled on EC2 instances as it is vulnerable to [SSRF attack]

///

/// However, certain deployment environments, such as those running old versions of kube2iam,

/// may not support IMDSv2. This option will enable automatic fallback to using IMDSv1

/// if the token endpoint returns a 403 error indicating that IMDSv2 is not supported.

///

/// This option has no effect if not using instance credentials

///

/// [IMDSv2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

/// [SSRF attack]: https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

pub fn with_imdsv1_fallback(mut self) -> Self {

self.imdsv1_fallback = true.into();

self

}

/// Sets if unsigned payload option has to be used.

///

/// See [unsigned payload option](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html)

/// * false (default): Signed payload option is used, where the checksum for the request body is computed and included when constructing a canonical request.

/// * true: Unsigned payload option is used. `UNSIGNED-PAYLOAD` literal is included when constructing a canonical request,

pub fn with_unsigned_payload(mut self, unsigned_payload: bool) -> Self {

self.unsigned_payload = unsigned_payload.into();

self

}

/// If enabled, [`AmazonS3`] will not fetch credentials and will not sign requests

///

/// This can be useful when interacting with public S3 buckets that deny authorized requests

pub fn with_skip_signature(mut self, skip_signature: bool) -> Self {

self.skip_signature = skip_signature.into();

self

}

/// Sets the [checksum algorithm] which has to be used for object integrity check during upload.

///

/// [checksum algorithm]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html

pub fn with_checksum_algorithm(mut self, checksum_algorithm: Checksum) -> Self {

// Convert to String to enable deferred parsing of config

self.checksum_algorithm = Some(checksum_algorithm.into());

self

}

/// Set the [instance metadata endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html),

/// used primarily within AWS EC2.

///

/// This defaults to the IPv4 endpoint: http://169.254.169.254.

/// One can alternatively use the IPv6 endpoint http://fd00:ec2::254.

pub fn with_metadata_endpoint(mut self, endpoint: impl Into<String>) -> Self {

self.metadata_endpoint = Some(endpoint.into());

self

}

/// Set the proxy_url to be used by the underlying client

pub fn with_proxy_url(mut self, proxy_url: impl Into<String>) -> Self {

self.client_options = self.client_options.with_proxy_url(proxy_url);

self

}

/// Set a trusted proxy CA certificate

pub fn with_proxy_ca_certificate(mut self, proxy_ca_certificate: impl Into<String>) -> Self {

self.client_options = self

.client_options

.with_proxy_ca_certificate(proxy_ca_certificate);

self

}

/// Set a list of hosts to exclude from proxy connections

pub fn with_proxy_excludes(mut self, proxy_excludes: impl Into<String>) -> Self {

self.client_options = self.client_options.with_proxy_excludes(proxy_excludes);

self

}

/// Sets the client options, overriding any already set

pub fn with_client_options(mut self, options: ClientOptions) -> Self {

self.client_options = options;

self

}