Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(s3): support default credentials provider in AWS S3 storage #37

Merged
merged 3 commits into from
Mar 5, 2025
Merged

feat(s3): support default credentials provider in AWS S3 storage #37

merged 3 commits into from
Mar 5, 2025

Conversation

rohilsurana
Copy link
Contributor

@rohilsurana rohilsurana commented Jan 13, 2025
edited
Loading

Problem

Currently the only way to set AWS credentials is via setting the static credentials as environment variables or by passing as a flag when executing.
Some systems already have credentials setup using different ways provided by aws like credentials file, config file or EC2 profiles.

Solution

This PR adds support for using AWS S3 credentials from default credentials provider chain in the SDK.
The order for the AWS SDK golang is documented at [1].
The order for duckdb is documented at [2].

Changes

  • Adds a new configuration AWS_CREDENTIALS_TYPE with options STATIC and DEFAULT.
    • STATIC maintains the old behaviour and uses the supplied static credentials.
    • DEFAULT uses the AWS SDK and DuckDB default credentials chain.
  • AWS client config changes for syncing tables
  • DuckDB create secret query changes for creating S3 secret as per new config.
  • Update README with details of the new config.
  • Add aws credentials refresh for duckdb as it does not update credentials when expired.

[1] AWS SDK Golang - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
[2] DuckDB S3 API Support - https://duckdb.org/docs/extensions/httpfs/s3api.html#credential_chain-provider

@rohilsurana rohilsurana marked this pull request as draft January 17, 2025 05:38
rohilsurana
rohilsurana commented Jan 17, 2025
View reviewed changes
src/duckdb.go
Comment on lines +52 to +64
ticker := time.NewTicker(10 * time.Minute)
time.Tick(10 * time.Minute)
go func() {
for {
select {
case <-ticker.C:
duckdb.setAwsCredentials(ctx)
case <-duckdb.refreshQuit:
ticker.Stop()
return
}
}
}()
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This refresh logic is required because duckdb doesn't refresh credentials. Ref - duckdb/duckdb-aws#26

TODO: refactor to provide refresh interval as a config.

@arjunlol arjunlol force-pushed the main branch 3 times, most recently from 89db433 to a45307d Compare February 13, 2025 02:56
@exAspArk exAspArk merged commit fb537ec into BemiHQ:main Mar 5, 2025
@exAspArk
Copy link
Member

exAspArk commented Mar 5, 2025

Hey @rohilsurana — thanks a lot for submitting this pull request! 🎉

We've merged it by making some small adjustments to avoid adding an extra configuration option and to keep it as simple as possible from a usability perspective. I.e., if the AWS access key is not specified, it'll fallback to the AWS SDK credential chain trying to get the credentials from the config file, STS, or SSO.

This has been released in v0.38.0. Congrats on becoming a BemiDB contributor!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rohilsurana @exAspArk