[GitHub] [airflow] Taragolis commented on a diff in pull request #26946: Fix assume role if user explicit set credentials

Wed, 12 Oct 2022 00:12:40 -0700 


Taragolis commented on code in PR #26946:
URL: https://github.com/apache/airflow/pull/26946#discussion_r993076634


##########
airflow/providers/amazon/aws/hooks/base_aws.py:
##########
@@ -125,7 +125,13 @@ def create_session(self) -> boto3.session.Session:
             return boto3.session.Session(region_name=self.region_name)
         elif not self.role_arn:
             return self.basic_session
-        return 
self._create_session_with_assume_role(session_kwargs=self.conn.session_kwargs)
+        # Values stored in AwsConnectionWrapper.session_kwargs intend to use 
only create initial boto3 session
+        # If user want to use 'assume_role' mechanism we need provide only 
'region_name'
+        # otherwise other parameters might conflict with base botocore session.
+        assume_session_kwargs = {}
+        if self.conn.region_name:
+            assume_session_kwargs["region_name"] = self.conn.region_name

Review Comment:
   There is a lot of grey zones in `boto3`, `botocore` and 
`BaseSessionFactory`. I can't find any valuable information about 
boto3.session.Session and best practices except this:
   - https://boto3.amazonaws.com/v1/documentation/api/latest/guide/session.html
   - 
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html
 
   
   Also when i tried to found best practices how to assign 
RefreshableCredentials to boto3.session.Session I usual found on the Internet 
something like: [SO link 1](https://stackoverflow.com/a/65962450), [SO link 
2](https://stackoverflow.com/a/69226170), [some link from top 10 in Google 
search](https://feeney.mba/refreshable-aws-boto-credentials.html)
   
   So I wasn't surprised when I initially sow how it resolved in provider
   
   ```
    session = botocore.session.get_session() 
    session._credentials = credentials 
    region_name = self.basic_session.region_name 
    session.set_config_variable("region", region_name)
   ```
   
   Let's me try to add some additional information why we set some parameters 
and not set another. It might help next time when someone add changes and broke 
something. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to