Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fallback to anonymous credentials in S3 client #3992

Merged
merged 5 commits into from
Jun 5, 2023
Merged

Fallback to anonymous credentials in S3 client #3992

merged 5 commits into from
Jun 5, 2023

Conversation

bentsherman
Copy link
Member

Close #3989

Based on the default S3 credentials provider, which uses the default provider chain with a fallback to anonymous credentials. Since Nextflow doesn't use the default provider chain anymore, I think we have to add this fallback ourselves.

@bentsherman
Fallback to anonymous credentials in S3 client
f8abf10 
Signed-off-by: Ben Sherman <bentshermann@gmail.com>
@bentsherman bentsherman requested a review from pditommaso June 1, 2023 17:44
@pditommaso
Copy link
Member

Nice point. However, I'm not understanding why it should happen. when the anonymous is specified this branch should be taken that uses the AnonymousAWSCredentials in explicit manner

nextflow/plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3FileSystemProvider.java

Lines 838 to 839 in 1daebee

log.debug("Creating AWS S3 client with anonymous credentials");
client = new S3Client(new AmazonS3Client(new AnonymousAWSCredentials(), clientConfig));

Also worth adding an integration tests in the tests/ folder

@bentsherman
Copy link
Member Author

I guess it's because the anonymous property isn't set:

nextflow/plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3FileSystemProvider.java

Lines 836 to 840 in 1daebee

final boolean anonymous = "true".equals(props.getProperty("anonymous"));
if( anonymous ) {
log.debug("Creating AWS S3 client with anonymous credentials");
client = new S3Client(new AmazonS3Client(new AnonymousAWSCredentials(), clientConfig));
}

As for the e2e test, how would we negate the CI runner's AWS creds before running the test?

@bentsherman
Copy link
Member Author

I see, you're talking about aws.client.anonymous in the Nextflow config. But if you enable that option, it looks like you would only be able to access public buckets. What if you want to access public and private buckets in the same run?

@bentsherman
Copy link
Member Author

Since I'll be out, if you can get it to work, a simple e2e test would be:

println file('s3://ngi-igenomes/igenomes/Homo_sapiens/Ensembl/GRCh37/Annotation/README.txt').text

pditommaso added 4 commits June 4, 2023 22:28
@pditommaso
Merge branch 'master' into 3989-s3-fallback-anonymous-creds
67144ba
@pditommaso
Improve S3 creds chain + add test
037b6ce 
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@pditommaso
Add comment [ci skip]
025bd56 
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@pditommaso
Refactored class name [ci fast]
2c8cbbd 
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@pditommaso
Copy link
Member

Ok, added the integration tests and refactored the anonymous class to S3CredentialsProvider class

@pditommaso pditommaso merged commit cf8ba46 into master Jun 5, 2023
@pditommaso pditommaso deleted the 3989-s3-fallback-anonymous-creds branch June 5, 2023 07:40
pditommaso added a commit that referenced this pull request Jun 5, 2023
@bentsherman @pditommaso
Fix access to public S3 bucket when no creds are provided (#3992)
710c287 
This commit fixed the access to public AWS S3 buckets when no AWS credentials 
are available in the hosting environment. 

It uses a custom credentials provider that fallbacks to `AnonymousAWSCredentials` 
class when no creds are detected. 

Signed-off-by: Ben Sherman <bentshermann@gmail.com>
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
Co-authored-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@bentsherman
Copy link
Member Author

Where is the integration test? I don't see it in the PR

@pditommaso
Copy link
Member

You are right. It went lost 👉 680f0a9

@drpatelh drpatelh mentioned this pull request Jun 8, 2023
Merged
4 tasks
@pditommaso pditommaso added this to the 23.10.0 milestone Jun 14, 2023
@bentsherman
Copy link
Member Author

@pditommaso should we deprecate the aws.client.anonymous config option? It seems useless if Nextflow can fallback to anonymous creds anyway.

@pditommaso
Copy link
Member

I still can be useful to avoid the normal auth flow when using non-aws cloud, I guess

@adamrtalbot adamrtalbot mentioned this pull request Aug 30, 2023
Closed
abhi18av pushed a commit to abhi18av/nextflow that referenced this pull request Oct 28, 2023
@bentsherman @pditommaso @abhi18av
Fix access to public S3 bucket when no creds are provided (nextflow-i…
56b11e4 
…o#3992)

This commit fixed the access to public AWS S3 buckets when no AWS credentials 
are available in the hosting environment. 

It uses a custom credentials provider that fallbacks to `AnonymousAWSCredentials` 
class when no creds are detected. 

Signed-off-by: Ben Sherman <bentshermann@gmail.com>
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
Co-authored-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pditommaso pditommaso Awaiting requested review from pditommaso

Assignees
No one assigned
Labels
storage/aws
Projects
None yet
Milestone
23.10.0
Development

Successfully merging this pull request may close these issues.

nf-amazon 2.0.0: Unable to load AWS credentials when running on Github Actions
2 participants
@bentsherman @pditommaso