Taragolis commented on code in PR #26946:
URL: https://github.com/apache/airflow/pull/26946#discussion_r992780811
##########
airflow/providers/amazon/aws/hooks/base_aws.py:
##########
@@ -125,7 +125,13 @@ def create_session(self) -> boto3.session.Session:
return boto3.session.Session(region_name=self.region_name)
elif not self.role_arn:
return self.basic_session
- return
self._create_session_with_assume_role(session_kwargs=self.conn.session_kwargs)
+ # Values stored in AwsConnectionWrapper.session_kwargs intend to use
only create initial boto3 session
+ # If user want to use 'assume_role' mechanism we need provide only
'region_name'
+ # otherwise other parameters might conflict with base botocore session.
+ assume_session_kwargs = {}
+ if self.conn.region_name:
+ assume_session_kwargs["region_name"] = self.conn.region_name
Review Comment:
Unfortunately not, this something which not well covered in boto3
documentation.
Initially
[boto3.session.Session](https://boto3.amazonaws.com/v1/documentation/api/latest/_modules/boto3/session.html#Session)
create low-level botocore session or use provided botocore.session and after
that it applied explicit credentials if it provided.
botocore has only short info about itself in
[documentation](https://botocore.amazonaws.com/v1/documentation/api/latest/tutorial/index.html)
which not cover how to work with their session. Let me refer to code `boto3`
and `botocore`
_boto3.session.Session init constructor_
```python
if aws_access_key_id or aws_secret_access_key or aws_session_token:
self._session.set_credentials(
aws_access_key_id, aws_secret_access_key, aws_session_token
)
```
[botocore.session.set_credentials](https://github.com/boto/botocore/blob/fec0e5bd5e4a9d7dcadb36198423e61437294fe6/botocore/session.py#L476-L495)
When we create botocore session for assume_role we use a bit hacky approach
(access to private methods/properties)
https://github.com/apache/airflow/blob/8e2e80a0ce0e1819874e183fb1662e879cdd8a08/airflow/providers/amazon/aws/hooks/base_aws.py#L150-L153
So if we provide:
1. `aws_access_key_id` or `aws_secret_access_key` or `aws_session_token` it
will replace assumed credentials in botocore session. We already use this
credentials when assume role
2. `profile_name` - might be nothing bad happen but better do not provide
it, since we already use it during session creation
3. `region_name` - Nothing bad happen, we use exactly the same region_name
as user provide for initial and assume_role sessions. For initial session
`region_name` only affect to endpoint for STS
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
