Pass AWS client configuration to the default credentials provider chain.

[teo-tsirpanis]

SC-55378

This PR applies a similar fix to #4641, but for the DefaultAWSCredentialsProviderChain which was being implicitly used when we don't pass any credentials provider to S3Client (it's now explicitly used).

Because DefaultAWSCredentialsProviderChain does not accept a ClientConfiguration, I copied its sources, as well as the sources of all applicable credentials providers and updated them to accept a ClientConfiguration. This is a temporary measure until the changes to the providers are upstreamed to the AWS SDK.

You are encouraged to review this PR by looking at each commit individually.

---

TYPE: BUG
DESC: Fix HTTP requests for AWS default credentials provider chain not honoring config options.

[teo-tsirpanis]

The default retry strategies for the credentials providers retry some errors that our S3-specific strategy does not. How about I use a dedicated retry strategy (in a copy of the client config) for the credentials providers?

[Shelnutt2]

I thatvis a good idea to use a separate retry strategy.

[teo-tsirpanis]

Done.

[Shelnutt2]

As a follow up, can we improve the region support here? It's be nice to allow using the user set config of vfs.s3.region. It's a little unexpected for users using any of the credentials providers that the region for sta is only read from the env or profile.

We encountered this oddity with a customer running in AWS China and struggling to understand why STS was trying to hit us-east-1 instead of the cn-notth-1 that was needed and configured via the TileDB config for region.

[teo-tsirpanis]

Fixed. If the config has a region specified, it will not be overridden. I will make sure to include this to my upstream fix.

[teo-tsirpanis]

If the config has a region specified, it will not be overridden

After further thought this won't work because the region of a config always gets initialized with a value. I think the best thing to do here is always get the region in the client provider from the config, and in a subsequent PR update the default value of vfs.s3.region from us-east-1 to letting the AWS SDK choose, which would align the SDK's and TileDB's view of the default AWS region.

[teo-tsirpanis]

Updated to always get the region from the client config. Will later open a story to consider changing the default value of vfs.s3.region.

[Shelnutt2]

In thinking on this, won't this change now mean that if a user set their profile or env variables they are ignored? Can we make the sequence something like what the SDK does itself?

• TileDB Config
• ENV var
• Profile
• hard coded default?

[teo-tsirpanis]

In thinking on this, won't this change now mean that if a user set their profile or env variables they are ignored?

Yes, but this change in the credentials provider is more likely to be accepted upstream. This in combination with changing the default value of vfs.s3.region (SC-55556) will achieve the sequence you described.

[teo-tsirpanis]

Validated successfully after running the following code:

import tiledb

ctx = tiledb.Ctx({"ssl.ca_file": "/etc/dummy-file", "vfs.s3.logging_level": "trace"})
vfs = tiledb.VFS(ctx=ctx)
vfs.ls("s3://my-bucket")

and finding these lines in the AWS logs:

[INFO] 2024-09-19 12:25:06.205 STSAssumeRoleWithWebIdentityCredentialsProvider [139956143503168] Credentials have expired, attempting to renew from STS.
[TRACE] 2024-09-19 12:25:06.205 STSResourceClient [139956143503168] Retrieving credentials from https://sts.us-east-1.amazonaws.com
[…]
[DEBUG] 2024-09-19 12:25:06.209 CURL [139956143503168] (Text) Connected to sts.us-east-1.amazonaws.com (72.21.206.96) port 443

[DEBUG] 2024-09-19 12:25:06.209 CURL [139956143503168] (Text) ALPN: curl offers http/1.1

[DEBUG] 2024-09-19 12:25:06.209 CURL [139956143503168] (SSLDataOut) 5 bytes
[DEBUG] 2024-09-19 12:25:06.209 CURL [139956143503168] (Text) TLSv1.3 (OUT), TLS handshake, Client hello (1):

[DEBUG] 2024-09-19 12:25:06.209 CURL [139956143503168] (SSLDataOut) 512 bytes
[DEBUG] 2024-09-19 12:25:06.209 CURL [139956143503168] (Text) error setting certificate file: /etc/dummy-file

[DEBUG] 2024-09-19 12:25:06.209 CURL [139956143503168] (Text) error setting certificate file: /etc/dummy-file

This is ready for review.

[teo-tsirpanis]

/backport to release-2.26

[github-actions]

Started backporting to release-2.26: https://github.com/TileDB-Inc/TileDB/actions/runs/11014481076

[github-actions]

@teo-tsirpanis backporting to release-2.26 failed, the patch most likely resulted in conflicts:

$ git am --3way --ignore-whitespace --keep-non-patch changes.patch

Applying: Copy AWS SDK credentials provider sources.
Applying: Integrate the source files into the codebase.
Applying: Support passing `ClientConfiguration` to the vendored credentials providers.
Using index info to reconstruct a base tree...
M	tiledb/sm/filesystem/s3.cc
M	tiledb/sm/filesystem/s3.h
Falling back to patching base and 3-way merge...
Auto-merging tiledb/sm/filesystem/s3.h
CONFLICT (content): Merge conflict in tiledb/sm/filesystem/s3.h
Auto-merging tiledb/sm/filesystem/s3.cc
CONFLICT (content): Merge conflict in tiledb/sm/filesystem/s3.cc
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0003 Support passing `ClientConfiguration` to the vendored credentials providers.
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

[github-actions]

@teo-tsirpanis an error occurred while backporting to release-2.26, please check the run log for details!

Error: git am failed, most likely due to a merge conflict.