Fix S3 client to support IRSA credentials (#54)

2026-01-21 14:42:53 -06:00
parent 255e25d66d
commit fedbd95cf4
2 changed files with 30 additions and 9 deletions
--- a/backend/app/storage.py
+++ b/backend/app/storage.py
@@ -242,15 +242,19 @@ class S3Storage:
            },
        )

-        self.client = boto3.client(
-            "s3",
-            endpoint_url=settings.s3_endpoint if settings.s3_endpoint else None,
-            region_name=settings.s3_region,
-            aws_access_key_id=settings.s3_access_key_id,
-            aws_secret_access_key=settings.s3_secret_access_key,
-            config=config,
-            verify=settings.s3_verify_ssl,  # SSL/TLS verification
-        )
+        # Build client kwargs - only include credentials if explicitly provided
+        # This allows IRSA/IAM role credentials to be used when no explicit creds are set
+        client_kwargs = {
+            "endpoint_url": settings.s3_endpoint if settings.s3_endpoint else None,
+            "region_name": settings.s3_region,
+            "config": config,
+            "verify": settings.s3_verify_ssl,
+        }
+        if settings.s3_access_key_id and settings.s3_secret_access_key:
+            client_kwargs["aws_access_key_id"] = settings.s3_access_key_id
+            client_kwargs["aws_secret_access_key"] = settings.s3_secret_access_key
+
+        self.client = boto3.client("s3", **client_kwargs)
        self.bucket = settings.s3_bucket
        # Store active multipart uploads for resumable support
        self._active_uploads: Dict[str, Dict[str, Any]] = {}