-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: aws session creation is failing for s3 manager when roles are used #2799
fix: aws session creation is failing for s3 manager when roles are used #2799
Conversation
cd33f92
to
d98c944
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
d98c944
to
9d5961c
Compare
Codecov ReportBase: 49.62% // Head: 46.92% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## release/1.4.x #2799 +/- ##
=================================================
- Coverage 49.62% 46.92% -2.71%
=================================================
Files 311 301 -10
Lines 52797 49161 -3636
=================================================
- Hits 26199 23067 -3132
+ Misses 25062 24628 -434
+ Partials 1536 1466 -70
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
@koladilip what are we fixing and what issue did this cause? ref |
func TestGetSessionConfigWithAccessKeys(t *testing.T) { | ||
s3Manager := S3Manager{ | ||
Config: &S3Config{ | ||
Bucket: "someBucket", | ||
AccessKeyID: "someAccessKeyId", | ||
AccessKey: "someSecretAccessKey", | ||
Region: aws.String("someRegion"), | ||
}, | ||
} | ||
awsSessionConfig := s3Manager.getSessionConfig() | ||
assert.NotNil(t, awsSessionConfig) | ||
assert.Equal(t, s3Manager.Config.AccessKey, awsSessionConfig.AccessKey) | ||
assert.Equal(t, s3Manager.Config.AccessKeyID, awsSessionConfig.AccessKeyID) | ||
} | ||
|
||
func TestGetSessionConfigWithIAMRole(t *testing.T) { | ||
s3Manager := S3Manager{ | ||
Config: &S3Config{ | ||
Bucket: "someBucket", | ||
IAMRoleARN: "someIAMRole", | ||
ExternalID: "someExternalID", | ||
Region: aws.String("someRegion"), | ||
}, | ||
} | ||
awsSessionConfig := s3Manager.getSessionConfig() | ||
assert.NotNil(t, awsSessionConfig) | ||
assert.Equal(t, s3Manager.Config.IAMRoleARN, awsSessionConfig.IAMRoleARN) | ||
assert.Equal(t, s3Manager.Config.ExternalID, awsSessionConfig.ExternalID) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aren't these meaningful anymore? Are we introducing any other tests to verify that:
- what we are fixing is actually fixed
- no regression has been introduced in the meantime by these changes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes s3Manager.getSessionConfig()
is removed so I have added few more tests to test these functionalities.
9d5961c
to
56182c0
Compare
@atzoum |
What was the issue this bug caused? Can you please include it in the pull request's title? |
56182c0
to
3ff22a0
Compare
Updated the PR title, let me know if this explains the problem. |
From the title I understand that this is not really a bug, but a new feature. Did we ever support role based auth flag in s3 manager? |
Actually this is bug as main aws session creator assumes that session config contain rolebased auth flag set properly but s3 manager didn't implement that functionality before so aws session creation is failing for s3 manage when roles are used. |
This should be the PR title then? |
Updated. |
Tested the latest AWS FTR changes on the S3 datalake and the changes are working fine. |
Redshift to use awsSession.Config.Credentials.Get() when roles are used to get temporary credentials instead of sts.GetSessionToken. Unify AWS session config creation process so that it is consistent across all AWS destinations. Earlier S3 has slightly different process to create SessionConfing so when updated the session config creation in aws utils to support RoleBasedAuth flag, it got missed for S3 manager as it was using different implementation so this unification should prevent such errors in the future.
3ff22a0
to
2bda02d
Compare
Description
Unify AWS session config creation process so that it is consistent across all AWS destinations. Earlier S3 has slightly different process to create SessionConfing so when updated the session config creation in aws utils to support RoleBasedAuth flag, it got missed for S3 manager as it was using different implementation so this unification should prevent such errors in the future.
Notion Ticket
[Warehouse AWS Role support] https://www.notion.so/rudderstacks/Warehouse-destination-config-for-Role-base-Authentication-control-plane-db9198dce2024723959c224e91a11ef4
Security