From 1d9647598fd00be1dc6a53fc90a28a09a171b741 Mon Sep 17 00:00:00 2001 From: "Jalpreet Singh Nanda (:imjalpreet)" Date: Mon, 8 Jan 2024 04:33:42 +0530 Subject: [PATCH] Deprecate hive config `hive.s3.use-instance-credentials` After the introduction of DefaultAWSCredentialsProviderChain, this config has become redundant as instance credentials can still be used even if this config is false, as they are the last item in the DefaultAWSCredentialsProviderChain. --- .../src/main/sphinx/connector/hive.rst | 23 +++++++++++-------- .../facebook/presto/hive/s3/HiveS3Config.java | 2 ++ 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/presto-docs/src/main/sphinx/connector/hive.rst b/presto-docs/src/main/sphinx/connector/hive.rst index 5a9a999dc369..3a536fe40762 100644 --- a/presto-docs/src/main/sphinx/connector/hive.rst +++ b/presto-docs/src/main/sphinx/connector/hive.rst @@ -283,6 +283,8 @@ Property Name Description ``hive.s3.use-instance-credentials`` Use the EC2 metadata service to retrieve API credentials (defaults to ``false``). This works with IAM roles in EC2. + **Note:** This property is deprecated. + ``hive.s3.aws-access-key`` Default AWS access key to use. ``hive.s3.aws-secret-key`` Default AWS secret key to use. @@ -348,15 +350,18 @@ S3 Credentials ^^^^^^^^^^^^^^ If you are running Presto on Amazon EC2 using EMR or another facility, -you can set ``hive.s3.use-instance-credentials`` -to ``true`` and use IAM Roles for EC2 to govern access to S3. If this is -the case, your EC2 instances will need to be assigned an IAM Role which -grants appropriate access to the data stored in the S3 bucket(s) you wish -to use. It's also possible to configure an IAM role with ``hive.s3.iam-role`` -that will be assumed for accessing any S3 bucket. This is much cleaner than -setting AWS access and secret keys in the ``hive.s3.aws-access-key`` -and ``hive.s3.aws-secret-key`` settings, and also allows EC2 to automatically -rotate credentials on a regular basis without any additional work on your part. +it is recommended that you use IAM Roles for EC2 to govern access to S3. To enable this, +your EC2 instances will need to be assigned an IAM Role which grants appropriate +access to the data stored in the S3 bucket(s) you wish to use. It's also possible +to configure an IAM role with ``hive.s3.iam-role`` that will be assumed for accessing +any S3 bucket. This is much cleaner than setting AWS access and secret keys in the +``hive.s3.aws-access-key`` and ``hive.s3.aws-secret-key`` settings, and also allows +EC2 to automatically rotate credentials on a regular basis without any additional +work on your part. + +After the introduction of DefaultAWSCredentialsProviderChain, if neither IAM role nor +IAM credentials are configured, instance credentials will be used as they are the last item +in the DefaultAWSCredentialsProviderChain. Custom S3 Credentials Provider ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/presto-hive/src/main/java/com/facebook/presto/hive/s3/HiveS3Config.java b/presto-hive/src/main/java/com/facebook/presto/hive/s3/HiveS3Config.java index 411acbdaeca2..e6db59a64fe3 100644 --- a/presto-hive/src/main/java/com/facebook/presto/hive/s3/HiveS3Config.java +++ b/presto-hive/src/main/java/com/facebook/presto/hive/s3/HiveS3Config.java @@ -138,11 +138,13 @@ public HiveS3Config setS3PathStyleAccess(boolean s3PathStyleAccess) return this; } + @Deprecated public boolean isS3UseInstanceCredentials() { return s3UseInstanceCredentials; } + @Deprecated @Config("hive.s3.use-instance-credentials") public HiveS3Config setS3UseInstanceCredentials(boolean s3UseInstanceCredentials) {