internal/resource: support S3 access point URLs #1264
Conversation
There was a problem hiding this comment.
This might need a kola test coverage, but overall changes look good to me.
@bgilbert could you take another stab at it?
|
Hey @sohankunkerkar could I have you take a look again? No new changes, but between the time you approved and the time I saw it, the default branch caused some merge conflicts that I needed to resolve. |
There was a problem hiding this comment.
Thanks for the PR! And thanks for your patience; apologies for the slow review.
I think we should probably support this as a separate arn URL scheme, and be a little more rigorous about doing so, e.g. by checking the service name and by supporting non-accesspoint S3 ARNs. Feedback welcome, though.
I agree with @sohankunkerkar that we should have a kola test for this, probably as an external test. Feel free to add one if you'd like to dig into that infrastructure, but it probably makes more sense for us to handle that part ourselves.
|
Thanks for the review @bgilbert . I've addressed your comments and generally supported the opaque It uses the aws sdk to more rigorously check that the ARN is for S3, and supports non-accesspoint S3 ARNs as well as accesspoint S3 ARNs. I've also added comments about the expected format of the ARN resource and official AWS documentation that supports those expectations. Please take a look and let me know what think. |
|
Happy new year. @bgilbert could you please take a look and let me know if this is okay to merge? |
|
@bgilbert could you take another look at this please? |
There was a problem hiding this comment.
Thanks for your patience once again. This generally looks good; just one issue around handling of AWS partitions, and a question about whether we should support version IDs with arn.
You'll need to rebase this to current main, since our CI checks have changed. Also, in this case I think the whole PR counts as one logical change, so please squash the PR down to one commit.
I'll aim to get you a faster response in the next round. 🙂
| @@ -17,6 +17,7 @@ package types | |||
| import ( | |||
| "net/url" | |||
|
|
|||
| "github.com/aws/aws-sdk-go/aws/arn" | |||
There was a problem hiding this comment.
For the record, this adds a dependency to our external API. However, the arn package only depends on the stdlib, so this shouldn't be too impactful.
zeleena
force-pushed
the
aws-s3-access-points
branch
from
9990a3c to
828a4cd
Compare
|
Hi @bgilbert, I've addressed the comments, rebased, and squashed my PR down to one commit as requested. Please take a look. |
internal/resource/url.go
Outdated
| key = strings.Join(urlSplit[1:], "/") | ||
| } | ||
|
|
||
| sess.Config.Region = aws.String(s3arn.Region) |
There was a problem hiding this comment.
S3 ARNs don't include the Region field so this won't be sufficient for non-aws partitions. We may need to add a hardcoded map from AWS partitions (s3arn.Partition) to a representative region for region hinting. (Or maybe the AWS SDK can do that for us?)
There was a problem hiding this comment.
AWS partitions are commonly aws or aws-cn from those docs, and there isn't a clear way to get region from those.
What I've done to address this is to use the current way of using GetBucketRegion for the S3 bucket and S3 bucket ARN cases since we have the bucket name available, and used the Region field for the S3 accesspoint case since the Region field will exist for accesspoints.
There was a problem hiding this comment.
As is, the non-accesspoint case will fail to select the correct region if we're running in a different partition than the one specified in the ARN. I still think a lookup table for a representative regionHint, indexed by partition, is the right solution here.
|
Filed #1322 to track followups to this PR (kola tests and docs). |
zeleena
force-pushed
the
aws-s3-access-points
branch
from
dff4066 to
b5f1dde
Compare
Not sure why I can't reply to this comment directly below it. There is no custom query to strip off; this code uses the u.Scheme and u.Opaque to create the I added test cases to cover all three cases of S3 bucket, S3 bucket ARN and S3 accesspoint ARN and their corresponding URL with versioning. |
|
Also, can you confirm whether you were able to test this? |
zeleena
force-pushed
the
aws-s3-access-points
branch
from
b5f1dde to
961d70e
Compare
Yes, this can still retrieve configs from S3 given a bucket in s3 or arn format as before. Multi-region access points won't be enabled until this uses aws-sdk-go-v2, which I hope to do in a follow-up PR. Also one thing is that I had to modify my setup to include a fix for golang/go#51706, but I imagine this was related to my local setup. Please take a look and feel free to merge if this is good to go. |
|
Also, it looks like there is a merge commit in the PR. Could you try rebasing your commit onto the latest main? |
zeleena
force-pushed
the
aws-s3-access-points
branch
from
dc84fed to
baa443f
Compare
Support S3 access point URLs in ARN format as a source. This allows valid, opaque S3 URLs such as `s3:arn:aws:s3:us-west-2:123456789012:accesspoint/test/object` Being able to use this format will allow S3 URLs on different partitions and lays the foundation to potentially support multi-region access points in the future. Fixes coreos#1091 Signed-off-by: Zeleena Kearney <[email protected]>
zeleena
force-pushed
the
aws-s3-access-points
branch
from
baa443f to
4daa32d
Compare
There was a problem hiding this comment.
This looks great! Thanks so much for your extensive patience in pushing this to the finish line.
There are a couple tiny nits and I'm still not convinced about the partition selection for non-accesspoint ARNs, but let's merge this now and I'll see about making a followup PR.
|
Nits addressed in #1355. |
Support S3 access point URLs in ARN format as a source.
This allows valid, opaque S3 URLs such as
s3:arn:aws:s3:us-west-2:123456789012:accesspoint/test/objectBeing able to use this format will allow S3 URLs on different
partitions and lays the foundation to potentially support
multi-region access points in the future.
Fixes #1091
Signed-off-by: Zeleena Kearney [email protected]