[s3-repository] Don't fail if there no symlink for AWS Web Identity T…

…oken (#84697) (#84825) Make sure users can use the static credentials even if there is a service account with IAM roles configured on the system. See #52625 (comment)
elastic · Mar 9, 2022 · cd7da80 · cd7da80
1 parent 861bd0e
commit cd7da80
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/docs/changelog/84697.yaml b/docs/changelog/84697.yaml
@@ -0,0 +1,5 @@
+pr: 84697
+summary: Don't fail if there no symlink for AWS Web Identity Token
+area: Snapshot/Restore
+type: bug
+issues: []
diff --git a/modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java b/modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
@@ -292,9 +292,14 @@ static class CustomWebIdentityTokenCredentialsProvider implements AWSCredentials
                 return;
             }
             // Make sure that a readable symlink to the token file exists in the plugin config directory
+            // AWS_WEB_IDENTITY_TOKEN_FILE exists but we only use Web Identity Tokens if a corresponding symlink exists and is readable
             Path webIdentityTokenFileSymlink = environment.configFile().resolve("repository-s3/aws-web-identity-token-file");
             if (Files.exists(webIdentityTokenFileSymlink) == false) {
-                throw new IllegalStateException("A Web Identity Token symlink in the config directory doesn't exist");
+                LOGGER.warn(
+                    "Cannot use AWS Web Identity Tokens: AWS_WEB_IDENTITY_TOKEN_FILE is defined but no corresponding symlink exists "
+                        + "in the config directory"
+                );
+                return;
             }
             if (Files.isReadable(webIdentityTokenFileSymlink) == false) {
                 throw new IllegalStateException("Unable to read a Web Identity Token symlink in the config directory");