v2.3.0

What's Changed

• security: avoid jinja 3.2.4 by @pvbouwel in #17
• Feature/multiple fqdns for s3 proxy by @pvbouwel in #18

Full Changelog: v2.2.0...v2.3.0

Allow dynamic reload of local policies

What's Changed

• Feature/invalidate cache by @pvbouwel in #16

Full Changelog: v2.1.0...v2.2.0

v2.1.0

What's Changed

• Bugfix/set idp claims when assuming with webidentity by @pvbouwel in #12
• security: allow setting conditions on the request region #13 by @pvbouwel in #14

Full Changelog: v2.0.1...v2.1.0

Fix CI release containers

This release does not have functional changes. It fixes some CI issues that hindered pushing a container for a release version.
So this can be used as if it were version 2.0.0.

What's Changed

• ci: allow skipping tests depending on testing backends during build by @pvbouwel in #10
• bugfix: container build environment variable by @pvbouwel in #11

Full Changelog: v2.0.0...v2.0.1

v2.0.0 multiple S3 backends and Session Tags

What's Changed

• feature: process nested tag claims by @pvbouwel in #6

Support the nested claims format for webidentity tokens as how AWS supports it. This allows to set session tags when assuming a role with a webidentity token. This allows to influence policies based out of attributes in your identity store (See unit test if it is unclear what type of policy is meant)

• !Feature/proxy multiple backends issue3 by @pvbouwel in #7 & #9
  Since we are a proxy we don't need a 1-to-1 relationship with a single S3 proxy. We allow specifying now multiple S3 backends and selection of which backend is done based out of the region attribute of the request. This means that at time of writing we are still limited to a single backend per region which seems not too limiting (If this is would be an issue to you open an issue and explain your use case for multiple backends within a region).

BREAKING CHANGE: This change expects that a valid region is passed in otherwise it fails. If this is unwanted you could still specify a default region and enable config flag "ENABLE_LEGACY_BEHAVIOR_INVALID_REGION_TO_DEFAULT_REGION" but this should only be used for transition periods with a grace period since allowing invalid region names is something that becomes harder to migrate away from over time (as invalid client configurations keep on increasing)

BREAKING CHANGE: The configuration format is overhauled to support defining multiple backends and the original environment variables have been removed. See README.md on how to configure it following the new format.

• refactor: smaller packages by @pvbouwel in #2

Full Changelog: v1.0.0...v2.0.0

v1.0.0

The initial version of the S3 proxy.

At this time the following features are provided:

STS proxy

• Support assumeRoleWithWebIdentity to exchange an OIDC access token for temporary credentials targetting a role ARN

S3 proxy

• Support temporary credentials as provided by STS proxy to authenticate and authorize requests
• Support evaluating basic IAM policies with s3 actions to define which actions are allowed for a specific role
• Support presigned urls (general sigv4 & HMAC V1 query auth)