Josh Souza created SOLR-16429:
---------------------------------
Summary: Missing dependency for STS - Cannot leverage Web Identity
Tokens
Key: SOLR-16429
URL: https://issues.apache.org/jira/browse/SOLR-16429
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: Backup/Restore
Affects Versions: 8.11.2
Environment: Solr 8 (and later), when operating in a container within
AWS, attempting to leverage Web Identity Tokens as part of S3 backups.
Reporter: Josh Souza
As discovered in
[apache/solr-operator#475|https://github.com/apache/solr-operator/issues/475]
the {{s3-repository}} contrib module is missing a dependency on the
{{software.amazon.awssdk:sts}} module in order to enable authentication via Web
Identity Tokens (STS).
The documentation for the Solr Operator
([https://apache.github.io/solr-operator/docs/solr-backup/#s3-credentials] /
[https://github.com/apache/solr-operator/blob/61c74353505e0e7171bdb3ff41102af47fb589fc/docs/solr-backup/README.md?plain=1#L342-L343])
references that this should be possible, and any other implementation of Solr
on Kubernetes (or any other AWS system using IRSA) won't be able to use the
default credential process to use Web Identity Tokens without this module
dependency.
Discovered by following breadcrumbs from:
[aws/aws-sdk-java-v2#2123|https://github.com/aws/aws-sdk-java-v2/issues/2123]
Adding the `sts` jar to the classpath has confirmed to address this issue, but
this is likely a miss on testing dependencies because it's pretty difficult to
test. (Solr wouldn't call out to this code, it's the internal AWS api that
needs this as part of the default chain).
I'll try to get a PR together to add this in.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
