-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 file downloads not working with AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN #7098
Comments
Michal Kurka commented: [~accountid:5c9943ec3a5542225fedb6b9] can you please try to reproduce the issue? |
Marek Novotny commented: [~accountid:557058:04659f86-fbfe-4d01-90c9-146c34df6ee6] I’ve managed to reproduce the problem and also it seems I’ve found the cause of the problem. H2O fat jar doesn’t contain the [https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-sts|https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-sts|smart-link] library, which is required by [WebIdentityTokenCredentialsProvider|https://github.com/aws/aws-sdk-java/blame/1.12.127/aws-java-sdk-core/src/main/java/com/amazonaws/auth/WebIdentityTokenCredentialsProvider.java#L58]. [~accountid:5cbdf1602675f70e50cd543b] As workaround you can add the library to java classpath explicitly when calling h2o.init(): {noformat}import h2o Dockerfile: {noformat}FROM h2oai/h2o-open-source-k8s:3.36.0.2 |
Michal Kurka commented: Thanks, [~accountid:5c9943ec3a5542225fedb6b9] for the fix. [~accountid:5cbdf1602675f70e50cd543b] it was merged an hour ago - it will be available in today’s nightly build if you want to test it. |
Stephen Hopper commented: [~accountid:557058:04659f86-fbfe-4d01-90c9-146c34df6ee6] [~accountid:5c9943ec3a5542225fedb6b9] I finally got around to testing this with H2O 3.36.1.1. It’s working wonderfully. Thank you so much for your work on this! |
JIRA Issue Details Jira Issue: PUBDEV-8567 |
Linked PRs from JIRA |
This is essentially a re-opening of [https://h2oai.atlassian.net/browse/PUBDEV-8169|https://h2oai.atlassian.net/browse/PUBDEV-8169|smart-link].
I upgraded to H2O version 3.37.0.5718 (one of the nightly builds with the fix from [https://h2oai.atlassian.net/browse/PUBDEV-8557|https://h2oai.atlassian.net/browse/PUBDEV-8557|smart-link] ), but the issue still exists. FWIW, I tried using both {{s3://}} and {{s3a://}} URLs, but both fail. However, the AWS cli is able to download these files from the running container on EKS just fine.
FWIW, we’re starting up a container-local H2O server from Python using {{h2o.init}} (which works) and then running {{h2o.import_file}} which fails. This command works just fine if we include the standard AWS_ACCESS_KEY and secret key environment variables, but fails if we try to use the service account token mount (even though the AWS CLI has no problems).
The text was updated successfully, but these errors were encountered: