Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS authentication conventions not fully implemented #25897

Open
cpinflux opened this issue Jan 22, 2025 · 2 comments
Open

AWS authentication conventions not fully implemented #25897

cpinflux opened this issue Jan 22, 2025 · 2 comments

Comments

@cpinflux
Copy link
Contributor

Steps to reproduce:
List the minimal actions needed to reproduce the behaviour.

  1. Log in to AWS by cli: aws sso login
  2. Run influxdb3 with an s3 bucket

Expected behaviour:
Describe what you expected to happen.

influxdb3 should integrate with the AWS SDK for authentication and authenticate based on the previous AWS login, without needing to export the standard AWS environmental variables of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Actual behaviour:
Describe What actually happened.

Service fails with authentication issues

Additional Information:
The desired behaviour is seen in the aws cli client itself and also, for example, terraform. Neither require the environment variables to be exported in order to utilise the existing AWS session. This also means that authentication is not limited to the scope of a single bash session, an aws login in one terminal results in (for example) terraform being able to access AWS from other terminals too.

This is the same behaviour I observed with datafusion-cli, as suggested by @alamb, suggesting that there is a common root cause here, presumably in object_store, as influxdb3 uses object_store's AmazonS3Builder interface to establish connectivity S3.
@alamb
Copy link
Contributor

alamb commented Jan 22, 2025

FWIW the code that uses the native ASK SDK to get authentication information in datafusio-cli is here:

https://github.com/apache/datafusion/blob/2aff98e002ce6d48008b8bbe2b38ee644a6d5c20/datafusion-cli/src/object_storage.rs#L112-L133

(that isn't included directly in object_store as the official AWS SDK is huge and has many dependencies)

@cpinflux
Copy link
Contributor Author

I believe I have established that the authentication process that is working in this scenario is either "Assume role" or "Assume role with web identity" here https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-authentication.html and under the hood ~/.aws/cli/cache/xxxxx.json is being used. This is a newer file than the previously used ~/.aws/credentials and there are a number of issues I see in the past relating to this on Terraform where support was officially added in the go api. aws/aws-sdk-go#3755 Naturally this is go, not rust, but potentially points towards equivalent functionality hopefully already present in the rust SDK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alamb @cpinflux