From 3a61576764c8a33e3b803a38b9d6418c459a026b Mon Sep 17 00:00:00 2001
From: Mondo Diaz <armando.m.diaz@boeing.com>
Date: Wed, 21 Jan 2026 20:27:47 +0000
Subject: [PATCH] Fix S3 client to support IRSA credentials (#54)

Only pass explicit credentials to boto3 if they're actually set.
This allows the default credential chain (including IRSA web identity
tokens) to be used when no access key is configured.

Also adds CHANGELOG entries for AWS services configuration.
---
 CHANGELOG.md           | 17 +++++++++++++++++
 backend/app/storage.py | 22 +++++++++++++---------
 2 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d945122..5cf267b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Added AWS Secrets Manager CSI driver support for database credentials (#54)
+- Added SecretProviderClass template for Secrets Manager integration (#54)
+- Added IRSA service account annotations for prod and stage environments (#54)
+
+### Changed
+- Configured stage and prod to use AWS RDS instead of PostgreSQL subchart (#54)
+- Configured stage and prod to use AWS S3 instead of MinIO subchart (#54)
+- Changed prod deployment from manual to automatic on version tags (#54)
+- Updated S3 client to support IRSA credentials when no explicit keys provided (#54)
+- Changed prod image pullPolicy to Always (#54)
+- Added proxy-body-size annotation to prod ingress for large uploads (#54)
+
+### Removed
+- Disabled PostgreSQL subchart for stage and prod environments (#54)
+- Disabled MinIO subchart for stage and prod environments (#54)
+
 ### Added
 - Added comprehensive upload/download tests for size boundaries (1B to 1GB) (#38)
 - Added concurrent upload/download tests (2, 5, 10 parallel operations) (#38)
diff --git a/backend/app/storage.py b/backend/app/storage.py
index cb7dbd4..d23e544 100644
--- a/backend/app/storage.py
+++ b/backend/app/storage.py
@@ -242,15 +242,19 @@ class S3Storage:
             },
         )
 
-        self.client = boto3.client(
-            "s3",
-            endpoint_url=settings.s3_endpoint if settings.s3_endpoint else None,
-            region_name=settings.s3_region,
-            aws_access_key_id=settings.s3_access_key_id,
-            aws_secret_access_key=settings.s3_secret_access_key,
-            config=config,
-            verify=settings.s3_verify_ssl,  # SSL/TLS verification
-        )
+        # Build client kwargs - only include credentials if explicitly provided
+        # This allows IRSA/IAM role credentials to be used when no explicit creds are set
+        client_kwargs = {
+            "endpoint_url": settings.s3_endpoint if settings.s3_endpoint else None,
+            "region_name": settings.s3_region,
+            "config": config,
+            "verify": settings.s3_verify_ssl,
+        }
+        if settings.s3_access_key_id and settings.s3_secret_access_key:
+            client_kwargs["aws_access_key_id"] = settings.s3_access_key_id
+            client_kwargs["aws_secret_access_key"] = settings.s3_secret_access_key
+
+        self.client = boto3.client("s3", **client_kwargs)
         self.bucket = settings.s3_bucket
         # Store active multipart uploads for resumable support
         self._active_uploads: Dict[str, Dict[str, Any]] = {}