Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User-supplied credential callback #234

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

User-supplied credential callback #234

wants to merge 7 commits into from
+438 −8

Conversation

kylebarron
Copy link
Member

@kylebarron kylebarron commented Feb 6, 2025
edited
Loading

There's a myriad number of ways to handle credentials for each of these stores, and I don't want to be implementing every last one of these. Luckily, object_store allows for external credential providers, and we can allow users to implement their own totally custom authentication in Python!

This is a proof of concept that is tested as working with both a synchronous or asynchronous credential provider! Here are a couple examples:

def credential_provider() -> S3Credential:
    session = boto3.Session(aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token)
    credentials = session.get_credentials().get_frozen_credentials()
    return {
        "access_key_id": credentials.access_key,
        "secret_access_key": credentials.secret_key,
        "token": credentials.token,
        "timeout": datetime.now() + timedelta(days=1000)
    }

store = S3Store("ds-wheels", credential_provider=credential_provider)
test = obs.list(store).collect()
async def credential_provider() -> S3Credential:
    session = boto3.Session(aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token)
    credentials = session.get_credentials().get_frozen_credentials()
    return {
        "access_key_id": credentials.access_key,
        "secret_access_key": credentials.secret_key,
        "token": credentials.token,
        "timeout": datetime.now() + timedelta(days=1000)
    }

store = S3Store("ds-wheels", credential_provider=credential_provider)
await obs.list(store).collect_async()

Notes:

  • Only try to refresh credentials (i.e. call the Python callback) when necessary. This includes handling the timeout datetime correctly.
  • Passing an async callback will hang if you use sync obstore APIs. You need to use async obstore APIs if you pass in an async callback.
  • Example with at least S3, maybe aws sts, and maybe azure (planetary computer?)
  • Use something like upstream's TokenCache
  • Update pickle "advanced" doc for whether this will work in pickle

Closes #232

@kylebarron kylebarron added this to the 0.5.0 milestone Feb 7, 2025
@kylebarron kylebarron mentioned this pull request Feb 11, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.5.0
Development

Successfully merging this pull request may close these issues.

optional auth callback for each store
1 participant
@kylebarron