Skip to content

Allow setting the Glue STS endpoint and region#14412

Merged
findepi merged 3 commits intotrinodb:masterfrom
alexjo2144:glue/sts-endpoint
Oct 4, 2022
Merged

Allow setting the Glue STS endpoint and region#14412
findepi merged 3 commits intotrinodb:masterfrom
alexjo2144:glue/sts-endpoint

Conversation

@alexjo2144
Copy link
Copy Markdown
Member

@alexjo2144 alexjo2144 commented Sep 30, 2022

Description

Add config properties to specify the STS service to use when authenticating to AWS Glue. This is needed for situations like deploying in GovCloud where the global STS endpoint should not be used.

Non-technical explanation

Add options which allow for Glue to be used in situations like GovCloud.

Release notes

( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:

# Hive
* Allow setting the AWS STS endpoint and region when using a Glue metastore.

# Delta Lake
* Allow setting the AWS STS endpoint and region when using a Glue metastore.

# Iceberg
* Allow setting the AWS STS endpoint and region when using a Glue catalog.

@cla-bot cla-bot bot added the cla-signed label Sep 30, 2022
alexjo2144
alexjo2144 commented Sep 30, 2022
View reviewed changes
...in/trino-hive/src/main/java/io/trino/plugin/hive/metastore/glue/GlueCredentialsProvider.java
provider = new STSAssumeRoleSessionCredentialsProvider
.Builder(config.getIamRole().get(), "trino-session")
.withExternalId(config.getExternalId().orElse(null))
.withLongLivedCredentialsProvider(provider)
Copy link
Copy Markdown
Member Author

@alexjo2144 alexjo2144 Sep 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for reviewers: withLongLivedCredentialsProvider is deprecated and cannot be used along with withStsClient, that's why this change is here.

findepi
findepi reviewed Sep 30, 2022
View reviewed changes
docs/src/main/sphinx/connector/hive.rst
``hive.metastore.glue.endpoint-url`` Glue API endpoint URL (optional).
Example: ``https://glue.us-east-1.amazonaws.com``

``hive.metastore.glue.sts.region`` AWS region of the STS service to authenticate with. This is
Copy link
Copy Markdown
Member

@findepi findepi Sep 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a new setting? why this cannot be based on hive.metastore.glue.region?

Copy link
Copy Markdown
Member Author

@alexjo2144 alexjo2144 Oct 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is necessary if we want to support situations like using Minio's STS with AWS Glue.

There's also this: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

TLDR: By default STS uses the global endpoint which is always available. You can set a region explicitly to reduce latency but STS is not available in all regions. So if we just use the Glue region but you're deployed in one of those places, for example eu-south-1, you need to use either the global endpoint or a diferent region with STS available.

I believe this means we need the setting.

@findepi findepi mentioned this pull request Oct 3, 2022
Closed
@findepi
Copy link
Copy Markdown
Member

findepi commented Oct 3, 2022

Test PR with secrets: #14444
(@nineinchnick's #12817 will make these PRs easier)

@findepi
Copy link
Copy Markdown
Member

findepi commented Oct 4, 2022

ci / build-pt (pull_request) failed (#14453)
tests need to be re-run

@findepi findepi merged commit 9ce7954 into trinodb:master Oct 4, 2022
@findepi findepi mentioned this pull request Oct 4, 2022
Closed
@github-actions github-actions bot added this to the 399 milestone Oct 4, 2022
@alexjo2144 alexjo2144 deleted the glue/sts-endpoint branch October 4, 2022 17:09
@colebow colebow mentioned this pull request Oct 5, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@findepi findepi findepi approved these changes

@findinpath findinpath Awaiting requested review from findinpath

Assignees

No one assigned

Labels

cla-signed docs

Milestone

399

Development

Successfully merging this pull request may close these issues.

2 participants

@alexjo2144 @findepi