Skip to content

TIMX 540 - adjust AWS credential chain for ECS context #164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 14, 2025
Merged

TIMX 540 - adjust AWS credential chain for ECS context #164

merged 2 commits into from
Aug 14, 2025

Conversation

@ghukill
Copy link
Contributor

@ghukill ghukill commented Aug 14, 2025
edited
Loading

Purpose and background context

Small tweaks to AWS secret creation in DuckDB context after testing in ECS context.

In short: the removal of chain allows DuckDB to try all methods, e.g. sso, env, instance, etc., until it finds credentials. Previously I had a list of types I thought would work, but instance was the magic one for ECS Fargate tasks!

How can a reviewer manually see the effects of these changes?

Successful run in Dev 1 as part of StepFunction (link):

Screenshot 2025-08-14 at 1 17 05 PM

Ultimatley the run failed, but that was expected; it was the success of Transmog here that was important 😎.

Includes new or updated dependencies?

NO

Changes expectations for external applications?

YES: Transmog, pipeline lambda, and TIM should be able to DuckDB connect to S3 assets

What are the relevant tickets?

ghukill added 2 commits August 14, 2025 11:27
@ghukill
Install HTTPFS extension in DuckDB context
2fc088d
@ghukill
Omit chain from DuckDB S3 secret
5b56965 
Why these changes are being introduced:

It sounds like the best option for ECS tasks is using 'instance'
as the provider chain type, where for local dev and/or lambdas
it might be 'sso' or 'env'.  Not having 'instance' appears to cause
failures in the ECS task.

How this addresses that need:

By omitting the 'chain' option entirely from DuckDB secret creation
we allow the default provider chain to take effect.  Given our fairly
normal usage of DuckDB and S3, this is probably the best approach.

Side effects of this change:
* DuckDB to S3 connections work in ECS

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/TIMX-540
@ghukill ghukill changed the base branch from main to epic-TIMX-515 August 14, 2025 17:07
@ghukill ghukill marked this pull request as ready for review August 14, 2025 17:18
@ghukill ghukill requested a review from a team August 14, 2025 17:18
ghukill
ghukill commented Aug 14, 2025
View reviewed changes
timdex_dataset_api/metadata.py
create or replace secret aws_s3_secret (
type s3,
provider credential_chain,
chain 'sso;env;config',
Copy link
Contributor Author

@ghukill ghukill Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This here was the key change.

@ghukill ghukill mentioned this pull request Aug 14, 2025
Merged
@ghukill ghukill merged commit 0b5c556 into epic-TIMX-515 Aug 14, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehanson8 ehanson8 ehanson8 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ghukill @ehanson8