Skip to content

Add support for AWS environmental credential chain for AWS storage providers #9439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 20 commits into
base: develop
Choose a base branch
from
Open

Add support for AWS environmental credential chain for AWS storage providers #9439

wants to merge 20 commits into from
+90 −10

Conversation

snelson44
Copy link

Motivation and context

Currently there is no way to use the environmental credentials chain for aws cloud storages. You must either explicitly set your credentials or cvat will assume you are attempting to do anonymous access and signing requests will be disabled entirely. I added the ability for the credentials type to be specified and passed on to the aws provider. If anonymous is requested, then signing requests will still be disabled. If credentials are given, they will be used to access aws, if credentials are not explicitly given, boto3 will look for them in the environment.

How has this been tested?

Added rest api tests for adding a cloud storage. One test to show anonymous access was still supported, and a second test to show that the aws provider could pull creds from the environment

Checklist

  • I submit my changes into the develop branch
  • I have created a changelog fragment
  • I have updated the documentation accordingly
  • I have added tests to cover my changes
  • I have linked related issues (see GitHub docs)

License

  • I submit my code changes under the same MIT License that covers the project.
    Feel free to contact the maintainers if that's a concern.

@snelson44 snelson44 marked this pull request as ready for review May 19, 2025 16:00
@Marishka17
Copy link
Contributor

Hi @snelson44, thank you for the contribution.

There are a few concerns with this approach:

  1. You haven't introduced a new credential type. This means it will not work when configuring cloud storage via UI (there are 2 credential types for AWS S3 compatible buckets: key/secret key pair that would not work without key/secret key on UI, anonymous access - env variables are not used by the newly introduced server logic).
  2. There should be one more setting parameter that enables/disables this functionality on the server (by default it should be disabled). Since it is a common code we cannot allow by default the use of the shared env variables/AWS profile configured on the host.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azhavoro azhavoro Awaiting requested review from azhavoro azhavoro is a code owner

@zhiltsov-max zhiltsov-max Awaiting requested review from zhiltsov-max zhiltsov-max is a code owner

@SpecLad SpecLad Awaiting requested review from SpecLad SpecLad is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@snelson44 @Marishka17