[fix](s3)Use anonymous credentials for S3-compatible storage when credentials are absent #60443
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…dentials are absent For S3-compatible object storages such as COS and OBS, authentication does not fully follow the AWS native credential provider chain. In these systems, anonymous access is a valid and commonly used mode when no AK/SK is configured. However, when `aws_credentials_provider_version` is set to `v2`, BE currently falls back to the AWS SDK v2 default credential provider chain if no credentials are explicitly provided. This behavior is AWS-specific and is not applicable to S3-compatible storage systems like COS and OBS, which may not support or require the AWS credential resolution chain. Problem ------- When `aws_credentials_provider_version = v2` and no AK/SK is configured: - BE attempts to resolve credentials using the AWS SDK v2 provider chain - This may lead to unexpected authentication failures or unnecessary environment dependency - The behavior is inconsistent with S3-compatible storage expectations Expected Behavior ----------------- For S3-compatible object storage: - If AK/SK is explicitly provided, use the configured credentials - If no credentials are provided, fall back to anonymous credentials - Do NOT trigger the AWS SDK v2 default credential provider chain
Contributor
|
Thank you for your contribution to Apache Doris. Please clearly describe your PR:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…
For S3-compatible object storages such as COS and OBS, authentication does not fully follow the AWS native credential provider chain. In these systems, anonymous access is a valid and commonly used mode when no AK/SK is configured.
However, when
aws_credentials_provider_versionis set tov2, BE currently falls back to the AWS SDK v2 default credential provider chain if no credentials are explicitly provided. This behavior is AWS-specific and is not applicable to S3-compatible storage systems like COS and OBS, which may not support or require the AWS credential resolution chain.Problem
When
aws_credentials_provider_version = v2and no AK/SK is configured:Expected Behavior
For S3-compatible object storage: