cryptoe commented on code in PR #12339:
URL: https://github.com/apache/druid/pull/12339#discussion_r841385835
##########
extensions-core/s3-extensions/src/main/java/org/apache/druid/data/input/s3/S3InputSource.java:
##########
@@ -166,15 +175,21 @@ private void applyAssumeRole(
AWSCredentialsProvider awsCredentialsProvider
)
{
- String assumeRoleArn = s3InputSourceConfig.getAssumeRoleArn();
- if (assumeRoleArn != null) {
+ // Do not run if WebIdentityToken file and assumeRole ARN are detected
from the environment variable,
+ // we want the default s3ClientBuilder behavior for ServiceAccount +
eks.amazonaws.com/role-arn annotation to work.
Review Comment:
Based on reading:
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
IMHO `AWS_WEB_IDENTITY_TOKEN_FILE` should be the lowest priority of
authentication that we should support as it looks like its more supported for
short duration access to AWS services.
However, I would somehow first check why AWS_ROLE_ARN got picked up. Are you
specifying it in the ingestion spec somewhere?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
