Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assume role support has been broken since 2022 🤣 #2879

Closed
oleh-motrunych opened this issue Sep 4, 2024 · 3 comments
Closed

Assume role support has been broken since 2022 🤣 #2879

oleh-motrunych opened this issue Sep 4, 2024 · 3 comments
Assignees
@rtyler
Labels
binding/rust Issues for the Rust crate bug Something isn't working storage/aws AWS S3 storage related

Comments

@oleh-motrunych
Copy link

kafka-delta-ingest version 0.2.0 fails to assume the specified IAM role for cross-account writes to S3, resulting in an Access Denied (403) error, the previous version of the application worked correctly under the same configuration.

error log

2024-09-04T18:23:33 [ERROR] - my.app: Ingest service exited with error Writer { source: Storage { source: Generic { store: "S3", source: Client { status: 403, body: Some("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>CAE9GFWZPREMDXXX</RequestId><HostId>fsdfsdfsdfAaXXXXXqUenLk4JxzSkdGI/msdfsfsfdHyg=</HostId></Error>") } } } }

Current setup:
• AWS Account A: kafka-delta-ingest running as an ECS task.
• AWS Account B: S3 bucket for storage and DynamoDB for lock table.

Steps Taken:

1.	With AWS_S3_ASSUME_ROLE_ARN set: The error still occurred with the same 403 Access Denied response.
2.	Without AWS_S3_ASSUME_ROLE_ARN: The error persisted, Same result.
3.	With a dummy IAM role in AWS_S3_ASSUME_ROLE_ARN: Same result.
4.	With S3 in the same account (Account A): Everything worked perfectly, confirming the issue is specific to cross-account role assumption.
5.	Using the old version: Previous versions of kafka-delta-ingest (before v0.2.0) work fine with the exact same IAM role assumption setup.

Expected Behavior:

The application should properly assume the IAM role specified in the AWS_S3_ASSUME_ROLE_ARN environment variable and perform cross-account writes to S3 in Account B.
@rtyler rtyler self-assigned this Sep 5, 2024
@rtyler rtyler added the bug Something isn't working label Sep 5, 2024
@rtyler
Copy link
Member

rtyler commented Sep 5, 2024

Comparing the current main from kafka-delta-ingest to older deployed versions, I have a hunch this is really a delta-io/delta-rs bug and will try to focus there. 🤔

@rtyler
Copy link
Member

rtyler commented Sep 9, 2024

I believe this happened when we switched from the rusoto crate to the official AWS SDK crate in delta-rs. Those options are still defined in our code, but don't actually get pulled through to configure the underlying AWS client 🤕

@rtyler rtyler transferred this issue from delta-io/kafka-delta-ingest Sep 11, 2024
@rtyler rtyler changed the title AWS_S3_ASSUME_ROLE_ARN environment variable is ignored in kafka-delta-ingest v 0.2.0 Assume role support has been broken since 2022 🤣 Sep 11, 2024
@rtyler rtyler added binding/rust Issues for the Rust crate storage/aws AWS S3 storage related labels Sep 11, 2024
@rtyler
Copy link
Member

rtyler commented Sep 11, 2024

image

Based on my analysis this change was responsible for removing assume role support. In essence object_store does not have native assume role support and in order to support this functionality we must first assume the role, get the temporary credentials, and then construct the appropriate AmazonS3 object store

rtyler added a commit to rtyler/delta-rs that referenced this issue Sep 16, 2024
@rtyler
feat: improve AWS credential loading between S3 and DynamoDb code paths
b2bad8a 
This change implements a number of improvements to the code paths for
loading credentials.  This is a prerequisite to fixing assume role
support delta-io#2879 but should also address a number of bugs I noticed:

* Python libraries can pass in keys via `storage_options` which are used
  for configuration of the AmazonS3 ObjectStore, but those credentials
  would not be used in the construction of the DynamoDB connection
* Using AWS credentials such as those from ~/.aws/profile or SSO would
  not be properly dropped into the AmazonS3 object store creation

There is some additional work that needs to come in to clean up how
various options overrides are managed still.

Sponsored-by: Scribd Inc.
@rtyler rtyler mentioned this issue Sep 16, 2024
Merged
rtyler added a commit to rtyler/delta-rs that referenced this issue Sep 16, 2024
@rtyler
feat: improve AWS credential loading between S3 and DynamoDb code paths
73d688e 
This change implements a number of improvements to the code paths for
loading credentials.  This is a prerequisite to fixing assume role
support delta-io#2879 but should also address a number of bugs I noticed:

* Python libraries can pass in keys via `storage_options` which are used
  for configuration of the AmazonS3 ObjectStore, but those credentials
  would not be used in the construction of the DynamoDB connection
* Using AWS credentials such as those from ~/.aws/profile or SSO would
  not be properly dropped into the AmazonS3 object store creation

There is some additional work that needs to come in to clean up how
various options overrides are managed still.

Sponsored-by: Scribd Inc.
rtyler added a commit to rtyler/delta-rs that referenced this issue Sep 16, 2024
@rtyler
fix: allow for assuming a role when bootstrapping AWS credential conf…
1cd8d98 
…iguration

Fixes delta-io#2879
rtyler added a commit to rtyler/delta-rs that referenced this issue Sep 17, 2024
@rtyler
feat: improve AWS credential loading between S3 and DynamoDb code paths
7409ab5 
This change implements a number of improvements to the code paths for
loading credentials.  This is a prerequisite to fixing assume role
support delta-io#2879 but should also address a number of bugs I noticed:

* Python libraries can pass in keys via `storage_options` which are used
  for configuration of the AmazonS3 ObjectStore, but those credentials
  would not be used in the construction of the DynamoDB connection
* Using AWS credentials such as those from ~/.aws/profile or SSO would
  not be properly dropped into the AmazonS3 object store creation

There is some additional work that needs to come in to clean up how
various options overrides are managed still.

Sponsored-by: Scribd Inc.
rtyler added a commit to rtyler/delta-rs that referenced this issue Sep 17, 2024
@rtyler
fix: allow for assuming a role when bootstrapping AWS credential conf…
9e2d000 
…iguration

Fixes delta-io#2879
github-merge-queue bot pushed a commit that referenced this issue Sep 17, 2024
@rtyler
feat: improve AWS credential loading between S3 and DynamoDb code paths
8e37f8b 
This change implements a number of improvements to the code paths for
loading credentials.  This is a prerequisite to fixing assume role
support #2879 but should also address a number of bugs I noticed:

* Python libraries can pass in keys via `storage_options` which are used
  for configuration of the AmazonS3 ObjectStore, but those credentials
  would not be used in the construction of the DynamoDB connection
* Using AWS credentials such as those from ~/.aws/profile or SSO would
  not be properly dropped into the AmazonS3 object store creation

There is some additional work that needs to come in to clean up how
various options overrides are managed still.

Sponsored-by: Scribd Inc.
github-merge-queue bot pushed a commit that referenced this issue Sep 17, 2024
@rtyler
fix: allow for assuming a role when bootstrapping AWS credential conf…
83043b6 
…iguration

Fixes #2879
@rtyler rtyler closed this as completed Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rtyler rtyler

Labels
binding/rust Issues for the Rust crate bug Something isn't working storage/aws AWS S3 storage related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rtyler @oleh-motrunych