Skip to content

feat(libstore): add AWS SSO support for S3 authentication#14645

Merged
Mic92 merged 8 commits intoNixOS:masterfrom
lovesegfault:s3-sts
Dec 15, 2025
Merged

feat(libstore): add AWS SSO support for S3 authentication#14645
Mic92 merged 8 commits intoNixOS:masterfrom
lovesegfault:s3-sts

Conversation

@lovesegfault
Copy link
Member

@lovesegfault lovesegfault commented Nov 25, 2025

Motivation

  • libstore: add AWS SSO support for S3 authentication
  • refactor(libstore/aws-creds): improve error handling and logging
  • chore(libstore/aws-creds): remove unused includes
  • test(s3-binary-cache-store): add profile support for setup_for_s3
  • test(s3-binary-cache-store): clear credential cache between tests
  • test(s3-binary-cache-store): test profiles and provider chain

Context

Fixes: #14476

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

xokdvium
xokdvium reviewed Nov 25, 2025
View reviewed changes
Mic92
Mic92 reviewed Dec 1, 2025
View reviewed changes
xokdvium
xokdvium reviewed Dec 1, 2025
View reviewed changes
@lovesegfault lovesegfault force-pushed the s3-sts branch 2 times, most recently from 0d6ee1d to 294d846 Compare December 2, 2025 23:25
Mic92 and others added 7 commits December 15, 2025 19:05
@Mic92
libstore: add AWS SSO support for S3 authentication
ec91479 
This enables seamless AWS SSO authentication for S3 binary caches
without requiring users to manually export credentials.

This adds SSO support by calling aws_credentials_provider_new_sso() from
the C library directly. It builds a custom credential chain: Env → SSO →
Profile → IMDS

The SSO provider requires a TLS context for HTTPS connections to SSO
endpoints, which is created once and shared across all providers.
@lovesegfault @Mic92
refactor(libstore/aws-creds): improve error handling and logging
3c8e45c 
Add validation for TLS context and client bootstrap initialization,
with appropriate error messages when these fail. The TLS context failure
is now a warning that gracefully disables SSO, while bootstrap failure
throws since it's required for all providers.
@lovesegfault @Mic92
fix(libstore/aws-creds): add STS support for default profile
508d446 
The default (empty) profile case was using CreateCredentialsProviderChainDefault
which didn't properly support role_arn/source_profile based role assumption via
STS because TLS context wasn't being passed to the Profile provider.

This change unifies the credential chain for all profiles (default and named),
ensuring:
- Consistent behavior between default and named profiles
- Proper TLS context is passed for STS operations
- SSO support works for both cases
@lovesegfault @Mic92
chore(libstore/aws-creds): remove unused includes
128b2b5
@lovesegfault @Mic92
test(s3-binary-cache-store): add profile support for setup_for_s3
11f108d
@lovesegfault @Mic92
test(s3-binary-cache-store): clear credential cache between tests
0595c5f
@lovesegfault @Mic92
test(s3-binary-cache-store): test profiles and provider chain
71bdb33
@Mic92
fix(libstore/aws-creds): respect AWS_PROFILE environment variable
453dbab 
The SSO provider was unconditionally setting profile_name_override to
the (potentially empty) profile string from the S3 URL. When profile
was empty, this prevented the AWS CRT SDK from falling back to the
AWS_PROFILE environment variable.

Only set profile_name_override when a profile is explicitly specified
in the URL, allowing the SDK's built-in AWS_PROFILE handling to work.
@Mic92 Mic92 enabled auto-merge December 15, 2025 18:42
@Mic92 Mic92 added this pull request to the merge queue Dec 15, 2025
Merged via the queue into NixOS:master with commit 11f5a31 Dec 15, 2025
16 checks passed
@lovesegfault lovesegfault added the backport 2.33-maintenance Automatically creates a PR against the branch label Jan 26, 2026
@internal-nix-ci internal-nix-ci bot mentioned this pull request Jan 26, 2026
Merged
@internal-nix-ci
Copy link

internal-nix-ci bot commented Jan 26, 2026

Successfully created backport PR for 2.33-maintenance:

@lovesegfault lovesegfault deleted the s3-sts branch January 26, 2026 18:09
jfroche added a commit to supabase/postgres that referenced this pull request Feb 6, 2026
@jfroche
fix: downgrade nix-installer-action to 2.32.5
fa7ed03 
2.33 introduced a regression in the s3 upload, which causes the build to
fail with "Access Denied". Downgrading to 2.32.5 should fix the issue.

Waiting for NixOS/nix#14645 to be released in 2.33.3 which should be soon (tm).
philiptaron added a commit to philiptaron/nixpkgs that referenced this pull request Feb 7, 2026
@philiptaron
nixVersions.nix_2_33: 2.33.1 -> 2.33.2
5eb6b47 
## Bug fixes

- Fix destruction of DerivationBuilder implementations (NixOS/nix#15072)
- Don't report cancelled goals as failures (NixOS/nix#14972)
- Fix `linux` build on fresh `glibc` and `gcc` (NixOS/nix#15011)

## S3 binary cache improvements

- Add AWS SSO support for S3 authentication (NixOS/nix#14645)
- Respect `AWS_PROFILE` environment variable (NixOS/nix#14645)
- Add STS support for default profile (NixOS/nix#14645)
- Skip `Accept-Encoding` header for S3 SigV4 requests (NixOS/nix#15048)
- Restart source before upload retries (NixOS/nix#15047)
- Route AWS CRT logs through Nix logger (NixOS/nix#15059)

The glibc 2.42 build fix patch is dropped as it is now included upstream.

https://github.com/NixOS/nix/releases/tag/2.33.2
@philiptaron philiptaron mentioned this pull request Feb 7, 2026
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Mic92 approved these changes

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314 Ericson2314 is a code owner

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

@xokdvium xokdvium Awaiting requested review from xokdvium

Assignees

@Mic92 Mic92

Labels

backport 2.33-maintenance Automatically creates a PR against the branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Re-add support for STS credential provider for S3

3 participants

@lovesegfault @Mic92 @xokdvium