Multiple AWS credential pairs (per-client auth) #13
Description
Summary
Support multiple AWS access key / secret key pairs so different clients can authenticate with their own credentials.
Problem
Currently, s3proxy uses a single set of AWS credentials (AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY) for both client authentication and upstream S3 access. All clients must share the same credentials, making it impossible to:
- Revoke access for a single client
- Audit which client performed which operation
- Apply per-client rate limits or permissions
Proposal
- Support a credential mapping: multiple client credential pairs that all map to the upstream S3 credentials
- Configuration via environment variable, config file, or external auth provider
- Each client keypair is independently revocable
- Log which client credential was used per request (for audit trail)
Example config
credentials:
- access_key: "client-a-key"
secret_key: "client-a-secret"
name: "backup-service"
- access_key: "client-b-key"
secret_key: "client-b-secret"
name: "analytics"
upstream:
access_key: "real-s3-key"
secret_key: "real-s3-secret"