From fedbd95cf4bec29f93f83d210b8da15e79624b29 Mon Sep 17 00:00:00 2001
From: Mondo Diaz <armando.m.diaz@boeing.com>
Date: Wed, 21 Jan 2026 14:42:53 -0600
Subject: [PATCH] Fix S3 client to support IRSA credentials (#54)

---
 CHANGELOG.md           | 17 +++++++++++++++++
 backend/app/storage.py | 22 +++++++++++++---------
 2 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d945122..5cf267b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Added AWS Secrets Manager CSI driver support for database credentials (#54)
+- Added SecretProviderClass template for Secrets Manager integration (#54)
+- Added IRSA service account annotations for prod and stage environments (#54)
+
+### Changed
+- Configured stage and prod to use AWS RDS instead of PostgreSQL subchart (#54)
+- Configured stage and prod to use AWS S3 instead of MinIO subchart (#54)
+- Changed prod deployment from manual to automatic on version tags (#54)
+- Updated S3 client to support IRSA credentials when no explicit keys provided (#54)
+- Changed prod image pullPolicy to Always (#54)
+- Added proxy-body-size annotation to prod ingress for large uploads (#54)
+
+### Removed
+- Disabled PostgreSQL subchart for stage and prod environments (#54)
+- Disabled MinIO subchart for stage and prod environments (#54)
+
 ### Added
 - Added comprehensive upload/download tests for size boundaries (1B to 1GB) (#38)
 - Added concurrent upload/download tests (2, 5, 10 parallel operations) (#38)
diff --git a/backend/app/storage.py b/backend/app/storage.py
index cb7dbd4..d23e544 100644
--- a/backend/app/storage.py
+++ b/backend/app/storage.py
@@ -242,15 +242,19 @@ class S3Storage:
             },
         )
 
-        self.client = boto3.client(
-            "s3",
-            endpoint_url=settings.s3_endpoint if settings.s3_endpoint else None,
-            region_name=settings.s3_region,
-            aws_access_key_id=settings.s3_access_key_id,
-            aws_secret_access_key=settings.s3_secret_access_key,
-            config=config,
-            verify=settings.s3_verify_ssl,  # SSL/TLS verification
-        )
+        # Build client kwargs - only include credentials if explicitly provided
+        # This allows IRSA/IAM role credentials to be used when no explicit creds are set
+        client_kwargs = {
+            "endpoint_url": settings.s3_endpoint if settings.s3_endpoint else None,
+            "region_name": settings.s3_region,
+            "config": config,
+            "verify": settings.s3_verify_ssl,
+        }
+        if settings.s3_access_key_id and settings.s3_secret_access_key:
+            client_kwargs["aws_access_key_id"] = settings.s3_access_key_id
+            client_kwargs["aws_secret_access_key"] = settings.s3_secret_access_key
+
+        self.client = boto3.client("s3", **client_kwargs)
         self.bucket = settings.s3_bucket
         # Store active multipart uploads for resumable support
         self._active_uploads: Dict[str, Dict[str, Any]] = {}