Skip to content

[fs] Support AWS S3 credentials provider mode#3540

Merged
fresh-borzoni merged 2 commits into
apache:mainfrom
litiliu:#3493
Jul 7, 2026
Merged

[fs] Support AWS S3 credentials provider mode#3540
fresh-borzoni merged 2 commits into
apache:mainfrom
litiliu:#3493

Conversation

@litiliu

@litiliu litiliu commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Purpose

Closes #3493.

This PR adds a server-side AWS S3 credentials provider mode for the S3 filesystem. When fs.s3a.aws.credentials.provider is explicitly configured in Fluss configuration, Fluss treats it as the authoritative server-side credential source instead of injecting the client delegated-token provider.

This is intended for deployments that use standard AWS SDK/Hadoop S3A providers such as com.amazonaws.auth.profile.ProfileCredentialsProvider, so rotated long-term credentials can be picked up by the provider without restarting Fluss servers.

The full motivation and design discussion are in #3493. This PR description keeps the reviewer-facing summary and the final implemented behavior.

Brief change log

  • Detect explicitly configured S3 credential providers from Fluss config keys:
    • s3.aws.credentials.provider
    • s3a.aws.credentials.provider
    • fs.s3a.aws.credentials.provider
  • Store an internal Hadoop configuration marker so S3DelegationTokenProvider can distinguish an explicit Fluss provider from Hadoop default resources.
  • In explicit provider mode:
    • do not inject DynamicTemporaryAWSCredentialsProvider;
    • reject provider mode combined with fs.s3a.assumed.role.arn;
    • make the explicit provider win over static AK/SK if both are configured;
    • reuse Hadoop S3A's provider loader for the token path.
  • Resolve credentials from the configured provider on each STS token request instead of freezing AK/SK in the token provider constructor.
  • Reject session credentials before calling STS, so temporary credentials are not used as input for client-token generation.
  • Preserve existing static AK/SK, AssumeRole, and delegated-token client behavior when no explicit server-side provider is configured.

Credential mode resolution:

Static AK/SK AssumeRole ARN Explicit provider Result
any set set rejected
any unset set server-side provider mode; provider wins
set unset unset static AK/SK
set set unset existing static AK/SK + AssumeRole behavior
unset set unset AssumeRole
unset unset unset delegated-token client path

Tests

  • mvn -pl fluss-filesystems/fluss-fs-s3 test -Dtest=S3FileSystemPluginTest,S3DelegationTokenProviderTest

Added/updated coverage for:

  • explicit provider mode does not inject DynamicTemporaryAWSCredentialsProvider;
  • static AK/SK and AssumeRole modes keep existing behavior;
  • explicit provider wins over static AK/SK;
  • explicit provider + AssumeRole is rejected;
  • explicitly configuring DynamicTemporaryAWSCredentialsProvider for server mode is rejected;
  • configured provider credentials are resolved for each token request;
  • session credentials are rejected before STS.

API and Format

No public API or storage format changes.

The PR adds an internal Hadoop configuration marker under fluss.fs.s3.aws.credentials.provider.explicitly.configured. It is not a user-facing option; it only carries whether the provider was explicitly configured through Fluss config.

Documentation

No separate documentation update in this PR. The user-facing behavior and operational motivation are described in #3493.

Generative AI disclosure

  • Yes: OpenAI Codex was used to help implement and review this change, following the repository AGENTS.md guidance.

@litiliu litiliu changed the title Support AWS S3 credentials provider mode [fs] Support AWS S3 credentials provider mode Jun 29, 2026
@litiliu

litiliu commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

@fresh-borzoni could you please help review this when you have time? Thanks!

@fresh-borzoni fresh-borzoni left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@litiliu Thank you for the PR, looks good overall, couple of minor comments, PTAL

import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetSessionTokenResult;
import org.apache.commons.lang3.StringUtils;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

commons-lang3 is only transitive here, shall we use org.apache.commons.lang3.StringUtils?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I replaced org.apache.commons.lang3.StringUtils with Fluss's org.apache.fluss.utils.StringUtils, so we no longer rely on the transitive commons-lang3 dependency.

@litiliu

litiliu commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

@fresh-borzoni Thanks for the review! I've addressed the comments, added the S3 credential-provider documentation, and rebased the branch onto the latest main. PTAL when you have time.

@fresh-borzoni fresh-borzoni left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@litiliu Thank you, I've added small change in the docs for the use-case you added(otherwise it's only the note, so it's a bit weird), hope it's alright, merging.

@fresh-borzoni fresh-borzoni merged commit c5a0c00 into apache:main Jul 7, 2026
7 of 8 checks passed
@litiliu litiliu deleted the #3493 branch July 7, 2026 03:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[feature] Support AWS S3 credentials provider mode to refresh credentials without restarting servers

2 participants