Support AWS STS for s3

[ianb-mp]

Is your feature request related to a problem? Please describe:
I've generated short term credentials using AWS STS and stored them in a k8s secret. However when I attempt to import an image from S3 using that secret, I get this error in the CDI importer pod:

E1127 04:28:14.705335       1 importer.go:347] InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.        

Describe the solution you'd like:
In addition to accessKeyId and secretKey, it should be possible to pass a session token (required by AWS STS) to enable authentication.

This code would need to be updated to accept the token (see AWS SDK doco here)

containerized-data-importer/pkg/importer/s3-datasource.go

Line 177 in b0038aa

creds := credentials.NewStaticCredentials(accessKey, secKey, "")

[awels]

Would using extra headers help you here? https://github.com/kubevirt/containerized-data-importer/blob/main/doc/datavolumes.md#extra-headers

[ianb-mp]

Thanks for the suggestion! Rather than extra headers, i think a better approach may be to generate a 'presigned URL' as documented here: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

That would obviously require the caller to handle the secrets on their side when generating the kubevirt manifest, which may not be appropriate/possible in many scenarios.

[chomatdam]

or depending on your environment, you could let the AWS default credential provider chain do the work (it'd remove the need for static creds), I think it was the idea behind this old PR: #3433, but hasn’t been finished.