Add code comments

Author: djnalluri

common/etc/nginx/include/s3gateway.js

@@ -1045,15 +1045,24 @@ async function _fetchWebIdentityCredentials(r) {
 
     var sts_endpoint = process.env['STS_ENDPOINT'];
     if (!sts_endpoint) {
+        // On EKS, the ServiceAccount can be annotated with 'eks.amazonaws.com/sts-regional-endpoints' to control
+        // the usage of regional endpoints. We are using the same standard environment variable here as
+        // the AWS SDK. This is with the exception of replacing the value `legacy` with `global` to match
+        // what EKS sets the variable to.
+        // https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
+        // https://docs.aws.amazon.com/eks/latest/userguide/configure-sts-endpoint.html
         var sts_regional = process.env['AWS_STS_REGIONAL_ENDPOINTS'] || 'global';
         if (sts_regional === 'regional') {
+            // STS regional endpoints can be derived from the region's name.
+            // https://docs.aws.amazon.com/general/latest/gr/sts.html
             var region = process.env['AWS_REGION'];
             if (region) {
                 sts_endpoint = `https://sts.${region}.amazonaws.com`;
             } else {
                 throw 'Missing required AWS_REGION env variable';
             }
         } else {
+            // This is the default global endpoint
             sts_endpoint = 'https://sts.amazonaws.com';
         }
     }

docs/getting_started.md

@@ -268,6 +268,7 @@ modified.
   aws cloudformation delete-stack \
     --stack-name nginx-s3-gateway
   ```
+
 ## Running on EKS with IAM roles for service accounts
 
 If you are planning to use the container image on an EKS cluster, you can use a [service account]((https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)) which can assume a role using [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html).