Taragolis commented on code in PR #26946: URL: https://github.com/apache/airflow/pull/26946#discussion_r992780811
########## airflow/providers/amazon/aws/hooks/base_aws.py: ########## @@ -125,7 +125,13 @@ def create_session(self) -> boto3.session.Session: return boto3.session.Session(region_name=self.region_name) elif not self.role_arn: return self.basic_session - return self._create_session_with_assume_role(session_kwargs=self.conn.session_kwargs) + # Values stored in AwsConnectionWrapper.session_kwargs intend to use only create initial boto3 session + # If user want to use 'assume_role' mechanism we need provide only 'region_name' + # otherwise other parameters might conflict with base botocore session. + assume_session_kwargs = {} + if self.conn.region_name: + assume_session_kwargs["region_name"] = self.conn.region_name Review Comment: Unfortunately not, this something which not well covered in boto3 documentation. Initially [boto3.session.Session](https://boto3.amazonaws.com/v1/documentation/api/latest/_modules/boto3/session.html#Session) create low-level botocore session or use provided botocore.session and after that it applied explicit credentials if it provided. botocore has only short info about itself in [documentation](https://botocore.amazonaws.com/v1/documentation/api/latest/tutorial/index.html) witch not cover their session well. So let me refer to code _boto3.session.Session init constructor_ ```python if aws_access_key_id or aws_secret_access_key or aws_session_token: self._session.set_credentials( aws_access_key_id, aws_secret_access_key, aws_session_token ) ``` [botocore.session.set_credentials](https://github.com/boto/botocore/blob/fec0e5bd5e4a9d7dcadb36198423e61437294fe6/botocore/session.py#L476-L495) When we create botocore session for assume_role we use a bit hacky approach (access to private methods/properties) https://github.com/apache/airflow/blob/8e2e80a0ce0e1819874e183fb1662e879cdd8a08/airflow/providers/amazon/aws/hooks/base_aws.py#L150-L153 So if we provide: 1. `aws_access_key_id` or `aws_secret_access_key` or `aws_session_token` it will replace assumed credentials in botocore session. We already use this credentials when assume role 2. `profile_name` - might be nothing bad happen but better do not provide it, since we already use it during session creation 3. `region_name` - Nothing bad happen, we use exactly the same region_name as user provide for initial and assume_role. For initial session `region_name` only affect to endpoint for STS endpoint -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org