Skip to content

fix(s3): use AWS SDK default credential chain when explicit keys are absent#1079

Merged
ct3685 merged 1 commit into
stagingfrom
ct/fix-csv-parser-s3-credential-chain
May 20, 2026
Merged

fix(s3): use AWS SDK default credential chain when explicit keys are absent#1079
ct3685 merged 1 commit into
stagingfrom
ct/fix-csv-parser-s3-credential-chain

Conversation

@ct3685
Copy link
Copy Markdown

@ct3685 ct3685 commented May 20, 2026
edited
Loading

Problem

Four places in the codebase were building S3 clients with:

```ts
credentials: {
accessKeyId: process.env.S3_STORAGE_ACCESS_KEY_ID ?? '',
secretAccessKey: process.env.S3_STORAGE_SECRET_ACCESS_KEY ?? ''
}
```

Passing an empty string is not the same as omitting credentials. AWS SDK v3 sees a credential object with an empty AKID and immediately throws:

The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential.

This breaks any deployment that relies on IAM instance roles, ECS task roles, or Copilot-injected credentials rather than explicit env vars.

Fix

Only attach credentials when both env vars are non-empty — otherwise omit them entirely so the AWS SDK falls through to its default credential chain (IAM roles, ECS/Copilot task roles, ~/.aws/credentials, etc.).

This is the same pattern already used by chatflow-storage, video-generator, dalle-image, dalle-image-upload, and the logger throughout the repo.

Files changed

File Issue
packages/server/src/services/csv-parser/index.ts Inline new S3Client with ?? '' on both keys
packages-answers/scripts/generateCsv.ts Top-level new S3 with ?? '' on both keys
packages-answers/scripts/initCsvRun.ts Top-level new S3 with ?? '' on both keys
packages-answers/utils/src/ingest/document.ts new S3Client inside function — already had an early-exit guard but still passed potentially-empty strings into credentials

Test plan

  • Deploy to an environment using IAM/Copilot credentials (no explicit S3_STORAGE_ACCESS_KEY_ID) — CSV upload and processing should succeed
  • Deploy with explicit S3_STORAGE_ACCESS_KEY_ID / S3_STORAGE_SECRET_ACCESS_KEY — still works as before

@vercel
Copy link
Copy Markdown

vercel Bot commented May 20, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
answerai-docs Building Building Preview May 20, 2026 4:05pm
the-answerai Building Building Preview May 20, 2026 4:05pm

Request Review

@ct3685 ct3685 merged commit 9b350db into staging May 20, 2026
5 of 8 checks passed
@ct3685 ct3685 deleted the ct/fix-csv-parser-s3-credential-chain branch May 20, 2026 16:06
@github-actions github-actions Bot mentioned this pull request May 20, 2026
Merged
ct3685 added a commit that referenced this pull request May 20, 2026
@github-actions @ct3685
chore(release): staging to production - 2026.05.20 (#1080)
46eab93 
## 🚀 Release: Staging to Production

**Release Date:** 2026-05-20

### Changes in this release

- fix(csv-parser): use AWS SDK default credential chain when explicit
keys absent (#1079) (9b350db)

---
*This PR is automatically created/updated when commits are pushed to
staging.*
*Merging this PR will trigger the release workflow to create a new
GitHub release.*

Co-authored-by: Cameron Taylor <50385537+ct3685@users.noreply.github.com>
@ct3685 ct3685 changed the title fix(csv-parser): use AWS SDK default credential chain when explicit keys absent fix(s3): use AWS SDK default credential chain when explicit keys are absent May 20, 2026
@ct3685 ct3685 mentioned this pull request May 20, 2026
Merged
3 tasks
ct3685 added a commit that referenced this pull request May 20, 2026
@ct3685
fix(s3): use AWS SDK default credential chain in standalone scripts a…
c35cf5e 
…nd ingest util (#1082)

## Problem

Three more files had the same `?? ''` S3 credential bug fixed in #1079 —
passes empty strings when env vars are absent, breaking IAM/Copilot/ECS
deployments.

## Files changed

| File | Issue |
|------|-------|
| `packages-answers/scripts/generateCsv.ts` | Top-level `new S3` with
`?? ''` on both keys |
| `packages-answers/scripts/initCsvRun.ts` | Top-level `new S3` with `??
''` on both keys |
| `packages-answers/utils/src/ingest/document.ts` | `new S3Client` with
explicit credentials passed unconditionally |

## Fix

Same pattern as #1079 — only attach `credentials` when both env vars are
non-empty; otherwise omit and let the AWS SDK default credential chain
handle it (IAM, ECS task roles, Copilot, Render env vars, etc.).

## Test plan
- [ ] Verify CSV standalone scripts work in IAM-based env (no explicit
S3 keys)
- [ ] Verify document ingest works in IAM-based env
- [ ] Confirm Render (explicit env vars) still works as before
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ct3685