Context
v0.3.1 added remote config loading (-c s3://..., -c gs://..., -c az://...), but currently only supports public (unauthenticated) endpoints. Private buckets return 403.
Problem
Polling private buckets requires cloud-provider-specific authentication:
- AWS S3: SigV4 request signing
- GCS: Bearer token from metadata server (1h expiry, needs refresh)
- Azure Blob: Managed Identity token or SAS token
A plain reqwest::get() can't handle any of these without additional logic.
Options to explore
| Approach |
Pros |
Cons |
CONFIG_AUTH_HEADER env var |
Simple, works for GCS/Azure Bearer tokens and custom HTTP endpoints |
Doesn't work for AWS SigV4; token expiry not handled |
Cloud SDK dependencies (aws-sdk-s3, google-cloud-storage) |
Full support including token refresh |
Heavy deps, conflicts with lightweight goal |
| Metadata server token refresh |
No new deps, covers GCS/Azure MSI |
AWS still needs SigV4; platform-specific code |
| Presigned/SAS URL support in docs |
Zero implementation |
URLs expire (S3 max 7 days), not suitable for long-running polling |
Current workarounds
- Init container: Copy config from private bucket to shared volume at startup, use local path
- Internal HTTP endpoint: Serve config from an authenticated internal service, use
https://...
- Public bucket with restricted network: Use VPC endpoints / firewall rules instead of bucket-level auth
Acceptance criteria
Context
v0.3.1 added remote config loading (
-c s3://...,-c gs://...,-c az://...), but currently only supports public (unauthenticated) endpoints. Private buckets return 403.Problem
Polling private buckets requires cloud-provider-specific authentication:
A plain
reqwest::get()can't handle any of these without additional logic.Options to explore
CONFIG_AUTH_HEADERenv varaws-sdk-s3,google-cloud-storage)Current workarounds
https://...Acceptance criteria
CONFIG_AUTH_HEADER+ metadata server token refresh)