Skip to content

Add support for temporary AWS credentials to access S3#693

Merged
rapids-bot[bot] merged 17 commits intorapidsai:branch-25.06from
joosthooz:support-aws-temp-creds
May 7, 2025
Merged

Add support for temporary AWS credentials to access S3#693
rapids-bot[bot] merged 17 commits intorapidsai:branch-25.06from
joosthooz:support-aws-temp-creds

Conversation

@joosthooz
Copy link
Contributor

@joosthooz joosthooz commented Apr 14, 2025

This PR adds the x-amz-security-token header which is needed when using temporary credentials (These start with ASIA). According to the curl docs, the list of headers needs to be freed after use, So I added a destructor to S3Endpoint that does that.
Important to note is that I added a parameter for the session token, but it comes directly after the other credential parameters and before the endpoint override, making this a breaking change for code that interacts directly with these C++ APIs! But it makes it consistent with the other values; otherwise 1 of them would need to be passed only via the env var.
It seems there might be another API change here #700 so maybe both changes can be done in the same release.
I hope this is useful for others too, looking forward to any comments!

Fixes #584 (@TomAugspurger)

@joosthooz joosthooz requested a review from a team as a code owner April 14, 2025 14:55
@copy-pr-bot
Copy link

copy-pr-bot bot commented Apr 14, 2025

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

This changes the API for constructing an S3Endpoint so this is a breaking change for code that uses the C++ API.
The python layer around it does not use the parameters to pass the credentials (it relies on the env vars), so it is unaffected.
@kingcrimsontianyu kingcrimsontianyu added feature request New feature or request c++ Affects the C++ API of KvikIO labels Apr 23, 2025
@kingcrimsontianyu kingcrimsontianyu added the breaking Introduces a breaking change label Apr 23, 2025
@kingcrimsontianyu
Copy link
Contributor

I think the Python part could be briefly updated in this PR. Currently we only deal with the required parameters url, bucket_name and url_name in Cython and leave all others as default. So the Python update could simply be a docstring update, somewhere around here and here.

We may consider the support for programatically setting the optional aws-related parameters in Python in a future PR if there is a need (in addition to the current env var approach).

@joosthooz
Copy link
Contributor Author

Thank you for the comments @kingcrimsontianyu, I will address them tomorrow!

@joosthooz joosthooz requested a review from a team as a code owner April 24, 2025 08:51
@TomAugspurger
Copy link
Contributor

/ok to test 78e519b

@kingcrimsontianyu
Copy link
Contributor

@joosthooz I'll add a few more suggestions in a couple of hours to fix the CI issue. Thank you!

std::optional<std::string> aws_region = std::nullopt,
std::optional<std::string> aws_access_key = std::nullopt,
std::optional<std::string> aws_secret_access_key = std::nullopt,
std::optional<std::string> aws_session_token = std::nullopt,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add the new parameter to the end of the argument list, to avoid an API break? The types of aws_session_token and aws_endpoint_url are identical, so users of the old API will now be passing an endpoint as if it was a session token.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've made the change. It would be desirable to keep them grouped together but a hidden breaking API change sounds troublesome.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out I only changed the order in the .cpp file, should be fixed now! Also added missing documentation for the new parameter to that function.

@kingcrimsontianyu
Copy link
Contributor

/ok to test

@copy-pr-bot
Copy link

copy-pr-bot bot commented May 1, 2025

/ok to test

@kingcrimsontianyu, there was an error processing your request: E1

See the following link for more information: https://docs.gha-runners.nvidia.com/cpr/e/1/

@kingcrimsontianyu
Copy link
Contributor

/ok to test 416a004

Copy link
Contributor

@kingcrimsontianyu kingcrimsontianyu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joosthooz
Copy link
Contributor Author

Sorry @kingcrimsontianyu , I was certain I had removed that include but it turns out I didn't! Should be good now.

@kingcrimsontianyu
Copy link
Contributor

/ok to test

@copy-pr-bot
Copy link

copy-pr-bot bot commented May 6, 2025

/ok to test

@kingcrimsontianyu, there was an error processing your request: E1

See the following link for more information: https://docs.gha-runners.nvidia.com/cpr/e/1/

@kingcrimsontianyu
Copy link
Contributor

/ok to test bfb9a65

Copy link
Contributor

@kingcrimsontianyu kingcrimsontianyu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for raising the issue and coming up with a solution!

@kingcrimsontianyu
Copy link
Contributor

/merge

@rapids-bot rapids-bot bot merged commit 009df11 into rapidsai:branch-25.06 May 7, 2025
63 checks passed
@davidwendt
Copy link

Looks like this may have broken the cudf build.
@kingcrimsontianyu

@kingcrimsontianyu
Copy link
Contributor

Could you elaborate a bit? I'm not able to reproduce the build fail locally with CUDA 12.8 pip cuDF.

@davidwendt
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

breaking Introduces a breaking change c++ Affects the C++ API of KvikIO feature request New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support short-term / temporary AWS credentials

5 participants