[GitHub] [airflow] Taragolis commented on a diff in pull request #26946: Fix assume role if user explicit set credentials

Tue, 11 Oct 2022 14:09:40 -0700 


Taragolis commented on code in PR #26946:
URL: https://github.com/apache/airflow/pull/26946#discussion_r992780811


##########
airflow/providers/amazon/aws/hooks/base_aws.py:
##########
@@ -125,7 +125,13 @@ def create_session(self) -> boto3.session.Session:
             return boto3.session.Session(region_name=self.region_name)
         elif not self.role_arn:
             return self.basic_session
-        return 
self._create_session_with_assume_role(session_kwargs=self.conn.session_kwargs)
+        # Values stored in AwsConnectionWrapper.session_kwargs intend to use 
only create initial boto3 session
+        # If user want to use 'assume_role' mechanism we need provide only 
'region_name'
+        # otherwise other parameters might conflict with base botocore session.
+        assume_session_kwargs = {}
+        if self.conn.region_name:
+            assume_session_kwargs["region_name"] = self.conn.region_name

Review Comment:
   Unfortunately not, this something which not well covered in boto3 
documentation.
   Initially 
[boto3.session.Session](https://boto3.amazonaws.com/v1/documentation/api/latest/_modules/boto3/session.html#Session)
 create low-level botocore session or use provided botocore.session and after 
that it applied explicit credentials if it provided.
   
   botocore has only short info about itself in 
[documentation](https://botocore.amazonaws.com/v1/documentation/api/latest/tutorial/index.html)
 witch not cover their session well. So let me refer to code
   
   _boto3.session.Session init constructor_
   ```python
   if aws_access_key_id or aws_secret_access_key or aws_session_token:
       self._session.set_credentials(
           aws_access_key_id, aws_secret_access_key, aws_session_token
   )
   ```
   
   
[botocore.session.set_credentials](https://github.com/boto/botocore/blob/fec0e5bd5e4a9d7dcadb36198423e61437294fe6/botocore/session.py#L476-L495)
   
   When we create botocore session for assume_role we use a bit hacky approach 
(access to private methods/properties)
   
   
https://github.com/apache/airflow/blob/8e2e80a0ce0e1819874e183fb1662e879cdd8a08/airflow/providers/amazon/aws/hooks/base_aws.py#L150-L153
   
   So if we provide:
   1. `aws_access_key_id` or `aws_secret_access_key` or `aws_session_token` it 
will replace assumed credentials in botocore session. We already use this 
credentials when assume role
   2. `profile_name` - might be nothing bad happen but better do not provide 
it, since we already use it during session creation
   3. `region_name` - Nothing bad happen, we use exactly the same region_name 
as user provide for initial and assume_role. For initial session `region_name` 
only affect to endpoint for STS endpoint
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to