[ 
https://issues.apache.org/jira/browse/HADOOP-19535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18007252#comment-18007252
 ] 

ASF GitHub Bot commented on HADOOP-19535:
-----------------------------------------

steveloughran commented on code in PR #7802:
URL: https://github.com/apache/hadoop/pull/7802#discussion_r2207506503


##########
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/AWSCredentialProviderList.java:
##########
@@ -197,7 +197,17 @@ public AwsCredentials resolveCredentials() {
       } catch (SdkException e) {
         lastException = e;
         LOG.debug("No credentials provided by {}: {}",
-            provider, e.toString(), e);
+            provider, e);
+      } catch (Exception e) {
+        // convert any other exception into SDKException.
+        // This is required because some credential provider like
+        // WebIdentityTokenFileCredentialsProvider might throw
+        // exceptions other than SdkException.
+        if (e.getMessage() != null) {
+          lastException = SdkException.create(e.getMessage(), e);
+        }
+        LOG.debug("No credentials provided by {}: {}",

Review Comment:
   sl4j always converts the last argument to a stack trace if its a throwable, 
which is why there's that 
   
   ```
           LOG.debug("No credentials provided by {}: {}",
               provider, e.toString(), e);
   ```
   
   sequence. 
   
   IF you do want to drop the toString value, losing it down the log, then you 
shoudl cut the no longer needed {}
   ```
    LOG.debug("No credentials provided by {}",
               provider, e);
   ```
   but since I do want that string, best to leave it as it was when I wrote it. 
nested traces get so long that the lower levels can get lost. 
   





> S3A : Add WebIdentityTokenFileCredentialsProvider to default S3 credential 
> provider chain
> -----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-19535
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19535
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs/s3
>            Reporter: Syed Shameerur Rahman
>            Assignee: Syed Shameerur Rahman
>            Priority: Major
>              Labels: pull-request-available
>
> The current default s3 credential provider chain is set in the order of 
> {code:java}
> org.apache.hadoop.fs.s3a.TemporaryAWSCredentialsProvider,org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider,software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider,org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider{code}
> Refer [code ref 
> |https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml#L1450]for
>  more details.
>  
> This works perfectly fine when used in AWS EC2, EMR Serverless, but not with 
> AWS EKS pods.
>  
> For EKS pods, It is recommended to use
> {code:java}
> software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider
>  , software.amazon.awssdk.auth.credentials.ContainerCredentialsProvider 
> (PodIdentity is enabled){code}
> WebIdentityTokenFileCredentialsProvider is an AWS credentials provider that 
> enables applications to obtain temporary AWS credentials by assuming an IAM 
> role using a web identity token (like OAuth or OIDC tokens). It's 
> particularly important in EKS as it's the underlying mechanism that makes 
> IRSA (IAM Roles for Service Accounts) work.
>  
>  
> ContainerCredentialsProvider is already part of 
> org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to