-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assume role support has been broken since 2022 🤣 #2879
Comments
Comparing the current |
I believe this happened when we switched from the rusoto crate to the official AWS SDK crate in delta-rs. Those options are still defined in our code, but don't actually get pulled through to configure the underlying AWS client 🤕 |
Based on my analysis this change was responsible for removing assume role support. In essence |
This change implements a number of improvements to the code paths for loading credentials. This is a prerequisite to fixing assume role support delta-io#2879 but should also address a number of bugs I noticed: * Python libraries can pass in keys via `storage_options` which are used for configuration of the AmazonS3 ObjectStore, but those credentials would not be used in the construction of the DynamoDB connection * Using AWS credentials such as those from ~/.aws/profile or SSO would not be properly dropped into the AmazonS3 object store creation There is some additional work that needs to come in to clean up how various options overrides are managed still. Sponsored-by: Scribd Inc.
This change implements a number of improvements to the code paths for loading credentials. This is a prerequisite to fixing assume role support delta-io#2879 but should also address a number of bugs I noticed: * Python libraries can pass in keys via `storage_options` which are used for configuration of the AmazonS3 ObjectStore, but those credentials would not be used in the construction of the DynamoDB connection * Using AWS credentials such as those from ~/.aws/profile or SSO would not be properly dropped into the AmazonS3 object store creation There is some additional work that needs to come in to clean up how various options overrides are managed still. Sponsored-by: Scribd Inc.
This change implements a number of improvements to the code paths for loading credentials. This is a prerequisite to fixing assume role support delta-io#2879 but should also address a number of bugs I noticed: * Python libraries can pass in keys via `storage_options` which are used for configuration of the AmazonS3 ObjectStore, but those credentials would not be used in the construction of the DynamoDB connection * Using AWS credentials such as those from ~/.aws/profile or SSO would not be properly dropped into the AmazonS3 object store creation There is some additional work that needs to come in to clean up how various options overrides are managed still. Sponsored-by: Scribd Inc.
This change implements a number of improvements to the code paths for loading credentials. This is a prerequisite to fixing assume role support #2879 but should also address a number of bugs I noticed: * Python libraries can pass in keys via `storage_options` which are used for configuration of the AmazonS3 ObjectStore, but those credentials would not be used in the construction of the DynamoDB connection * Using AWS credentials such as those from ~/.aws/profile or SSO would not be properly dropped into the AmazonS3 object store creation There is some additional work that needs to come in to clean up how various options overrides are managed still. Sponsored-by: Scribd Inc.
kafka-delta-ingest version 0.2.0 fails to assume the specified IAM role for cross-account writes to S3, resulting in an Access Denied (403) error, the previous version of the application worked correctly under the same configuration.
error log
Current setup:
• AWS Account A: kafka-delta-ingest running as an ECS task.
• AWS Account B: S3 bucket for storage and DynamoDB for lock table.
Steps Taken:
Expected Behavior:
The application should properly assume the IAM role specified in the AWS_S3_ASSUME_ROLE_ARN environment variable and perform cross-account writes to S3 in Account B.
The text was updated successfully, but these errors were encountered: