From e51f3ab9d01909b1f63ed44ae68126bc8fb12e12 Mon Sep 17 00:00:00 2001 From: Mondo Diaz Date: Wed, 21 Jan 2026 20:05:43 +0000 Subject: [PATCH] Fix S3 client to support IRSA credentials Only pass explicit credentials to boto3 if they're actually set. This allows the default credential chain (including IRSA web identity tokens) to be used when no access key is configured. --- backend/app/storage.py | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/backend/app/storage.py b/backend/app/storage.py index cb7dbd4..d23e544 100644 --- a/backend/app/storage.py +++ b/backend/app/storage.py @@ -242,15 +242,19 @@ class S3Storage: }, ) - self.client = boto3.client( - "s3", - endpoint_url=settings.s3_endpoint if settings.s3_endpoint else None, - region_name=settings.s3_region, - aws_access_key_id=settings.s3_access_key_id, - aws_secret_access_key=settings.s3_secret_access_key, - config=config, - verify=settings.s3_verify_ssl, # SSL/TLS verification - ) + # Build client kwargs - only include credentials if explicitly provided + # This allows IRSA/IAM role credentials to be used when no explicit creds are set + client_kwargs = { + "endpoint_url": settings.s3_endpoint if settings.s3_endpoint else None, + "region_name": settings.s3_region, + "config": config, + "verify": settings.s3_verify_ssl, + } + if settings.s3_access_key_id and settings.s3_secret_access_key: + client_kwargs["aws_access_key_id"] = settings.s3_access_key_id + client_kwargs["aws_secret_access_key"] = settings.s3_secret_access_key + + self.client = boto3.client("s3", **client_kwargs) self.bucket = settings.s3_bucket # Store active multipart uploads for resumable support self._active_uploads: Dict[str, Dict[str, Any]] = {}