S3 direct upload from EKS

[kizmanj]

Summary

When running in a container from EKS and using service accounts, AWS services are not accessed with a static key/secret pair, but with temporary credentials received from STS. (keyId, secret, sessionToken)

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html

Describe the solution you'd like

The following files will need to be updated to add x-amz-security-token to the policy document and the upload's form data:
src/Http/ViewComposers/MediasUploaderConfig.php
frontend/js/components/media-library/Uploader.vue

Additional context

Working on a branch with the changes

[ifox]

Hi @kizmanj, we're aware of this use case. For example, since this PR has been merged, it has been possible to use IAM roles on EC2 instances instead of access key pairs. It implies that you use the local endpoint type of the media library and specify a remote disk under twill.media_library.disk. That way the Twill uploader doesn't attempt to direct upload to S3, it uploads to your application first, which can be authorized to communicate with S3 to actually store the file. Maybe you've tried that and it didn't work?

Happy to review a PR improving compatibility for sure!