bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity

Fix S3 client to support IRSA credentials (#54)

Browse Source 
Only pass explicit credentials to boto3 if they're actually set.
This allows the default credential chain (including IRSA web identity
tokens) to be used when no access key is configured.

Also adds CHANGELOG entries for AWS services configuration.
This commit is contained in:
Mondo Diaz
2026-01-21 20:27:47 +00:00
parent 255e25d66d
commit 3a61576764
2 changed files with 30 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
CHANGELOG.md
View File

@@ -6,6 +6,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased] ## [Unreleased]
### Added
- Added AWS Secrets Manager CSI driver support for database credentials (#54)
- Added SecretProviderClass template for Secrets Manager integration (#54)
- Added IRSA service account annotations for prod and stage environments (#54)
### Changed
- Configured stage and prod to use AWS RDS instead of PostgreSQL subchart (#54)
- Configured stage and prod to use AWS S3 instead of MinIO subchart (#54)
- Changed prod deployment from manual to automatic on version tags (#54)
- Updated S3 client to support IRSA credentials when no explicit keys provided (#54)
- Changed prod image pullPolicy to Always (#54)
- Added proxy-body-size annotation to prod ingress for large uploads (#54)
### Removed
- Disabled PostgreSQL subchart for stage and prod environments (#54)
- Disabled MinIO subchart for stage and prod environments (#54)
### Added ### Added
- Added comprehensive upload/download tests for size boundaries (1B to 1GB) (#38) - Added comprehensive upload/download tests for size boundaries (1B to 1GB) (#38)
- Added concurrent upload/download tests (2, 5, 10 parallel operations) (#38) - Added concurrent upload/download tests (2, 5, 10 parallel operations) (#38)

22
backend/app/storage.py
View File

@@ -242,15 +242,19 @@ class S3Storage:
}, },
) )
self.client = boto3.client( # Build client kwargs - only include credentials if explicitly provided
"s3", # This allows IRSA/IAM role credentials to be used when no explicit creds are set
endpoint_url=settings.s3_endpoint if settings.s3_endpoint else None, client_kwargs = {
region_name=settings.s3_region, "endpoint_url": settings.s3_endpoint if settings.s3_endpoint else None,
aws_access_key_id=settings.s3_access_key_id, "region_name": settings.s3_region,
aws_secret_access_key=settings.s3_secret_access_key, "config": config,
config=config, "verify": settings.s3_verify_ssl,
verify=settings.s3_verify_ssl, # SSL/TLS verification }
) if settings.s3_access_key_id and settings.s3_secret_access_key:
client_kwargs["aws_access_key_id"] = settings.s3_access_key_id
client_kwargs["aws_secret_access_key"] = settings.s3_secret_access_key
self.client = boto3.client("s3", **client_kwargs)
self.bucket = settings.s3_bucket self.bucket = settings.s3_bucket
# Store active multipart uploads for resumable support # Store active multipart uploads for resumable support
self._active_uploads: Dict[str, Dict[str, Any]] = {} self._active_uploads: Dict[str, Dict[str, Any]] = {}