bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity

Merge branch 'fix/s3-irsa-credentials' into 'main'

Browse Source 
Fix S3 client to support IRSA credentials (#54)

See merge request esv/bsf/bsf-integration/orchard/orchard-mvp!36
This commit is contained in:
Dane Moss
2026-01-21 13:42:53 -07:00
parent 255e25d66d fedbd95cf4
commit c9026e1950
2 changed files with 30 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
CHANGELOG.md
View File

@@ -6,6 +6,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased] ## [Unreleased]
### Added
- Added AWS Secrets Manager CSI driver support for database credentials (#54)
- Added SecretProviderClass template for Secrets Manager integration (#54)
- Added IRSA service account annotations for prod and stage environments (#54)
### Changed
- Configured stage and prod to use AWS RDS instead of PostgreSQL subchart (#54)
- Configured stage and prod to use AWS S3 instead of MinIO subchart (#54)
- Changed prod deployment from manual to automatic on version tags (#54)
- Updated S3 client to support IRSA credentials when no explicit keys provided (#54)
- Changed prod image pullPolicy to Always (#54)
- Added proxy-body-size annotation to prod ingress for large uploads (#54)
### Removed
- Disabled PostgreSQL subchart for stage and prod environments (#54)
- Disabled MinIO subchart for stage and prod environments (#54)
### Added ### Added
- Added comprehensive upload/download tests for size boundaries (1B to 1GB) (#38) - Added comprehensive upload/download tests for size boundaries (1B to 1GB) (#38)
- Added concurrent upload/download tests (2, 5, 10 parallel operations) (#38) - Added concurrent upload/download tests (2, 5, 10 parallel operations) (#38)

22
backend/app/storage.py
View File

@@ -242,15 +242,19 @@ class S3Storage:
}, },
) )
self.client = boto3.client( # Build client kwargs - only include credentials if explicitly provided
"s3", # This allows IRSA/IAM role credentials to be used when no explicit creds are set
endpoint_url=settings.s3_endpoint if settings.s3_endpoint else None, client_kwargs = {
region_name=settings.s3_region, "endpoint_url": settings.s3_endpoint if settings.s3_endpoint else None,
aws_access_key_id=settings.s3_access_key_id, "region_name": settings.s3_region,
aws_secret_access_key=settings.s3_secret_access_key, "config": config,
config=config, "verify": settings.s3_verify_ssl,
verify=settings.s3_verify_ssl, # SSL/TLS verification }
) if settings.s3_access_key_id and settings.s3_secret_access_key:
client_kwargs["aws_access_key_id"] = settings.s3_access_key_id
client_kwargs["aws_secret_access_key"] = settings.s3_secret_access_key
self.client = boto3.client("s3", **client_kwargs)
self.bucket = settings.s3_bucket self.bucket = settings.s3_bucket
# Store active multipart uploads for resumable support # Store active multipart uploads for resumable support
self._active_uploads: Dict[str, Dict[str, Any]] = {} self._active_uploads: Dict[str, Dict[str, Any]] = {}