-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[C++] Support AWS S3 Web identity credentials #26628
Comments
Antoine Pitrou / @pitrou: |
Paul Balanca / @balancap: |
Antoine Pitrou / @pitrou: |
Antoine Pitrou / @pitrou: |
Tobias Ullrich: we just tried to use this (as we need it in a k8s setup) and it does not work in pyarrow. Looking at the code and both PRs, it seems like PR #10088 is actually not adding the capabilities in Python. PR #8977 seems to would have added this. Please let me know if I am missing something here. Thank you. -Tobias |
Antoine Pitrou / @pitrou: |
Antoine Pitrou / @pitrou: |
It seems to me that Arrow only supports at the moment the "AssumeRole" AWS STS API, but not the other options offered:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
https://sdk.amazonaws.com/cpp/api/LATEST/class_aws_1_1_auth_1_1_s_t_s_assume_role_web_identity_credentials_provider.html
I am clearly no security/infra expert, but it seems that the configuration "AssumeRoleWithWebIdentity" is used commonly in Kubernetes setups, and I believe it would be beneficial for Arrow C++ & Python library to support.
At the moment, a workaround is to call directly
aws sts
to generate a temporary session, but it is a fairly painful solution as the session expires, all PyArrow objects with an S3 filesystem (datasets, ...) need to be re-built with new credentials.Reporter: Paul Balanca / @balancap
Assignee: Sahil Gupta / @sahil1105
Related issues:
PRs and other links:
Note: This issue was originally created as ARROW-10675. Please see the migration documentation for further details.
The text was updated successfully, but these errors were encountered: