run CI for #8079#8211
Conversation
Add opt-in AWS IAM authentication for S3 connections. When IAM is enabled, services authenticate to S3 using short-lived SigV4 pre-signed tokens instead of static credentials, with a new token generated for each request. New environment variables: - S3_AWS_IAM_AUTH_ENABLED: enable IAM authentication for S3 - S3_MIRROR_AWS_IAM_AUTH_ENABLED: enable IAM authentication for S3 Mirror - S3_AUDIT_LOG_AWS_IAM_AUTH_ENABLED: enable IAM authentication for S3 Audit Log
There was a problem hiding this comment.
Code Review
This pull request introduces opt-in AWS IAM authentication for S3 connections across the server, mirror, and audit log services, replacing static credentials with a dynamic S3CredentialProvider powered by the AWS SDK's default credential chain. It also updates environment variable validation to make static S3 credentials optional when IAM authentication is enabled, fixes an S3 upload signing issue in the AuditLogManager, and adds comprehensive unit tests. The review feedback suggests improving the credential provider's error messages by dynamically referencing the correct environment variables based on the service label, and correcting a minor grammatical typo in the changeset documentation.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| } else { | ||
| throw new Error( | ||
| 'No S3 credentials available. Either enable S3 IAM auth, or ' + | ||
| 'provide S3 static credentials S3_ACCESS_KEY_ID and S3_SECRET_ACCESS_KEY.', | ||
| ); | ||
| } |
There was a problem hiding this comment.
The error message is hardcoded to S3_ACCESS_KEY_ID and S3_SECRET_ACCESS_KEY. Since this provider is also used for s3Mirror and s3AuditLogs, we should make the error message dynamic based on the label option to avoid misleading the user.
} else {
const isMirror = options?.label?.includes('mirror');
const isAudit = options?.label?.includes('audit');
const keyIdVar = isMirror ? 'S3_MIRROR_ACCESS_KEY_ID' : isAudit ? 'S3_AUDIT_LOG_ACCESS_KEY_ID' : 'S3_ACCESS_KEY_ID';
const secretVar = isMirror ? 'S3_MIRROR_SECRET_ACCESS_KEY' : isAudit ? 'S3_AUDIT_LOG_SECRET_ACCESS_KEY' : 'S3_SECRET_ACCESS_KEY';
throw new Error(
'No S3 credentials available. Either enable S3 IAM auth, or provide S3 static credentials ' +
keyIdVar +
' and ' +
secretVar +
'.'
);
}|
|
||
| Added opt-in AWS IAM authentication for S3 connections. When IAM is enabled, services authenticate | ||
| to S3 using short-lived SigV4 pre-signed tokens instead of static passwords, since S3 connections | ||
| are HTTP requests a new token will be generate for each call. |
|
🐋 This PR was built and pushed to the following Docker images: Targets: Platforms: Image Tags: |
run CI for #8079