From c68ded94b3f2ba9ec4cfba869239a08d71eefbeb Mon Sep 17 00:00:00 2001
From: Marko Mikulicic <mkm@influxdata.com>
Date: Tue, 12 Jul 2022 18:33:48 +0200
Subject: [PATCH 1/2] feat: Add support for WebIdentityProvider (EKS)

---
 Cargo.toml | 3 ++-
 src/aws.rs | 7 ++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index da3de91..762a3de 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -40,6 +40,7 @@ percent-encoding = "2.1"
 rusoto_core = { version = "0.48.0", optional = true, default-features = false, features = ["rustls"] }
 rusoto_credential = { version = "0.48.0", optional = true, default-features = false }
 rusoto_s3 = { version = "0.48.0", optional = true, default-features = false, features = ["rustls"] }
+rusoto_sts = { version = "0.48.0", optional = true, default-features = false, features = ["rustls"]  }
 snafu = "0.7"
 tokio = { version = "1.18", features = ["sync", "macros", "parking_lot", "rt-multi-thread", "time"] }
 tracing = { version = "0.1" }
@@ -53,7 +54,7 @@ walkdir = "2"
 azure = ["azure_core", "azure_storage_blobs", "azure_storage", "reqwest"]
 azure_test = ["azure", "azure_core/azurite_workaround", "azure_storage/azurite_workaround", "azure_storage_blobs/azurite_workaround"]
 gcp = ["serde", "serde_json", "reqwest", "reqwest/json", "reqwest/stream", "chrono/serde", "rustls-pemfile", "base64"]
-aws = ["rusoto_core", "rusoto_credential", "rusoto_s3", "hyper", "hyper-rustls"]
+aws = ["rusoto_core", "rusoto_credential", "rusoto_s3", "rusoto_sts", "hyper", "hyper-rustls"]
 
 [dev-dependencies] # In alphabetical order
 dotenv = "0.15.0"
diff --git a/src/aws.rs b/src/aws.rs
index 672ba34..57bfeaf 100644
--- a/src/aws.rs
+++ b/src/aws.rs
@@ -17,6 +17,7 @@ use hyper::client::Builder as HyperBuilder;
 use rusoto_core::ByteStream;
 use rusoto_credential::{InstanceMetadataProvider, StaticProvider};
 use rusoto_s3::S3;
+use rusoto_sts::WebIdentityProvider;
 use snafu::{OptionExt, ResultExt, Snafu};
 use std::ops::Range;
 use std::{convert::TryFrom, fmt, num::NonZeroUsize, ops::Deref, sync::Arc, time::Duration};
@@ -499,10 +500,10 @@ pub fn new_s3(
         }
         (None, Some(_), _) => return Err(Error::MissingAccessKey.into()),
         (Some(_), None, _) => return Err(Error::MissingSecretAccessKey.into()),
-        _ => {
-            let credentials_provider = InstanceMetadataProvider::new();
-            rusoto_s3::S3Client::new_with(http_client, credentials_provider, region)
+        _ if std::env::var_os("AWS_WEB_IDENTITY_TOKEN_FILE").is_some() => {
+            rusoto_s3::S3Client::new_with(http_client, WebIdentityProvider::from_k8s_env(), region)
         }
+        _ => rusoto_s3::S3Client::new_with(http_client, InstanceMetadataProvider::new(), region),
     };
 
     Ok(AmazonS3 {

From 1fa5115cc6aa6964419d65d5473b770092a406c4 Mon Sep 17 00:00:00 2001
From: Marko Mikulicic <mkm@influxdata.com>
Date: Tue, 12 Jul 2022 23:13:02 +0200
Subject: [PATCH 2/2] fix: Pin localstack image

---
 .circleci/config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 9c626ec..b4dff6d 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -175,7 +175,7 @@ jobs:
     # setup multiple docker images (see https://circleci.com/docs/2.0/configuration-reference/#docker)
     docker:
       - image: quay.io/influxdb/rust:ci
-      - image: localstack/localstack
+      - image: localstack/localstack:0.14.4
       - image: mcr.microsoft.com/azure-storage/azurite
       - image: fsouza/fake-gcs-server
         command: