ENG-719: Assume role for SES

[tvandort]

Closes ENG-719

Description Of Changes

Allow SES to assume roles.

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
fides-plus-nightly	⬜️ Ignored (Inspect)	Visit Preview		Jun 9, 2025 6:36pm
fides-privacy-center	⬜️ Ignored (Inspect)			Jun 9, 2025 6:36pm

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 87.23%. Comparing base (1b11d23) to head (33e464d).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6206   +/-   ##
=======================================
  Coverage   87.23%   87.23%           
=======================================
  Files         427      427           
  Lines       26600    26601    +1     
  Branches     2910     2910           
=======================================
+ Hits        23204    23205    +1     
  Misses       2767     2767           
  Partials      629      629           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[erosselli]

Don't forget the changelog entry. I know there's no time for adding tests but maybe we can ticket that separately (we have a tech debt epic) and at some point the eng team (read: likely me) might be able to squeeze it into a sprint

[erosselli]

this looks ok to me -- I'm just wondering what the order should be here , do we usually "prioritize" the env-set credentials? trying to think of what would follow the principle of least surprise for users configuring this integration

[tvandort]

I had a similar thought. It's... hard for me to say. For some reason I have this gut feeling that the most expected thing would be for the API to win over other methods.

But the API is less flexible in some cases bc it's a central point of truth. The reason I need to support this is for use cases where Fides is deployed to multiple regions, and this allows us to configure the environment variable granularly per region so it feels more specific in that sense.

Ultimately we chose to let the environment variable to have precedence before:

fides/src/fides/api/tasks/storage.py

Lines 139 to 141 in 7ca53a4

	assume_role_arn=CONFIG.credentials.get( # pylint: disable=no-member
	"storage", {}
	).get("aws_s3_assume_role_arn"),

fides/src/fides/api/util/aws_util.py

Lines 53 to 54 in 7ca53a4

	target_assume_role_arn = assume_role_arn or stored_assume_role_arn
	if target_assume_role_arn:

So I want to keep doing that probably?

[erosselli]

ah that makes sense -- let's keep it consistent with the S3 configuration

[cypress]

fides    Run #12976

Run Properties:   Passed #12976  •  0154330039: ENG-719: Assume role for SES (#6206)

Project	fides
Branch Review	main
Run status	Passed #12976
Run duration	00m 50s
Commit	0154330039: ENG-719: Assume role for SES (#6206)
Committer	Tom Van Dort
View all properties for this run ↗︎

---

Test results
Failures	0
Flaky	0
Pending	0
Skipped	0
Passing	5
View all changes introduced in this branch ↗︎