Search before asking
Motivation
Currently S3DelegationTokenProvider hardcodes AWSStaticCredentialsProvider when building the STS client, requiring s3.access-key / s3.secret-key in config. This prevents using the AWS default credential chain (IRSA, instance profiles, environment variables).
Additionally, S3FileSystemPlugin uses the presence of access.key to distinguish server from client. Without static keys, the server is misdetected as a client and fails with NoAwsCredentialsException.
This blocks running Fluss on EKS with IRSA, which is the standard way to manage credentials on AWS.
Solution
Fix: fall back to DefaultAWSCredentialsProviderChain when no static keys are provided, and require fs.s3a.assumed.role.arn in that case (since GetSessionToken does not work with temporary credentials).
Use roleArn presence as an additional server-mode indicator in the plugin.
Anything else?
Related: #2662, #1245, #2989
Willingness to contribute
Search before asking
Motivation
Currently
S3DelegationTokenProviderhardcodesAWSStaticCredentialsProviderwhen building the STS client, requirings3.access-key/s3.secret-keyin config. This prevents using the AWS default credential chain (IRSA, instance profiles, environment variables).Additionally,
S3FileSystemPluginuses the presence ofaccess.keyto distinguish server from client. Without static keys, the server is misdetected as a client and fails withNoAwsCredentialsException.This blocks running Fluss on EKS with IRSA, which is the standard way to manage credentials on AWS.
Solution
Fix: fall back to
DefaultAWSCredentialsProviderChainwhen no static keys are provided, and requirefs.s3a.assumed.role.arnin that case (sinceGetSessionTokendoes not work with temporary credentials).Use
roleArnpresence as an additional server-mode indicator in the plugin.Anything else?
Related: #2662, #1245, #2989
Willingness to contribute