This is an automated email from the ASF dual-hosted git repository.
hello-stephen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 533f02b970e [improvement](cloud) Support configurable S3 credentials
providers (#62788)
533f02b970e is described below
commit 533f02b970e8c96820d7ebe646b4eadc23bc064b
Author: Yixuan Wang <[email protected]>
AuthorDate: Wed May 13 10:42:18 2026 +0800
[improvement](cloud) Support configurable S3 credentials providers (#62788)
### What problem does this PR solve?
Support configuring the AWS S3 credentials provider type for cloud
storage vaults and S3 storage parameters. This allows IAM role based
access to use providers other than instance profile, such as
environment, system
properties, web identity, container, default chain, and anonymous
credentials. The credential provider type is propagated through FE
properties, thrift/proto definitions, meta service storage vault
handling, and cloud
recycler S3 accessor creation.
```
CREATE storage vault IF NOT EXISTS s3_vault_2
PROPERTIES (
"type"="S3",
"s3.endpoint"="xxx",
"s3.role_arn" = "xxx",
"s3.region" = "us-west-1",
"s3.root.path" = "xxx",
"s3.bucket" = "xxx",
"provider" = "S3",
"use_path_style" = "false",
"s3.credentials_provider_type" = "WEB_IDENTITY",
"s3_validity_check" = "false"
);
```
```
curl "127.0.0.1:5678/MetaService/http/get_obj_store_info
```
```
{
"id": "3",
"name": "s3_vault_2",
"obj_info": {
"ctime": "1777011933",
"mtime": "1777011933",
"id": "3",
"bucket": "xxx",
"prefix": "wyx_test",
"endpoint": "xxx",
"region": "us-west-1",
"provider": "S3",
"external_endpoint": "",
"sse_enabled": true,
"use_path_style": false,
"cred_provider_type": "WEB_IDENTITY",
"role_arn": "xxx",
"external_id": ""
}
}
```
---
be/src/util/s3_util.cpp | 10 ++++
cloud/src/meta-service/meta_service_resource.cpp | 28 +++++----
cloud/src/recycler/s3_accessor.cpp | 41 ++++++++++---
cloud/src/recycler/s3_accessor.h | 3 +
common/cpp/aws_common.cpp | 12 +++-
.../org/apache/doris/catalog/S3StorageVault.java | 4 +-
.../datasource/property/storage/S3Properties.java | 67 +++++++++++++++++++++-
.../property/storage/S3PropertiesTest.java | 32 +++++++++++
gensrc/proto/cloud.proto | 5 ++
gensrc/thrift/AgentService.thrift | 7 ++-
10 files changed, 184 insertions(+), 25 deletions(-)
diff --git a/be/src/util/s3_util.cpp b/be/src/util/s3_util.cpp
index ee8293f49bd..851fbf43edf 100644
--- a/be/src/util/s3_util.cpp
+++ b/be/src/util/s3_util.cpp
@@ -626,6 +626,16 @@ static CredProviderType
cred_provider_type_from_thrift(TCredProviderType::type c
return CredProviderType::Simple;
case TCredProviderType::INSTANCE_PROFILE:
return CredProviderType::InstanceProfile;
+ case TCredProviderType::ENV:
+ return CredProviderType::Env;
+ case TCredProviderType::SYSTEM_PROPERTIES:
+ return CredProviderType::SystemProperties;
+ case TCredProviderType::WEB_IDENTITY:
+ return CredProviderType::WebIdentity;
+ case TCredProviderType::CONTAINER:
+ return CredProviderType::Container;
+ case TCredProviderType::ANONYMOUS:
+ return CredProviderType::Anonymous;
default:
__builtin_unreachable();
LOG(WARNING) << "Invalid TCredProviderType value: " <<
cred_provider_type
diff --git a/cloud/src/meta-service/meta_service_resource.cpp
b/cloud/src/meta-service/meta_service_resource.cpp
index b4e5e0d0b15..1c511488673 100644
--- a/cloud/src/meta-service/meta_service_resource.cpp
+++ b/cloud/src/meta-service/meta_service_resource.cpp
@@ -59,6 +59,11 @@ bool is_valid_storage_vault_name(const std::string& str) {
namespace doris::cloud {
+static CredProviderTypePB get_cred_provider_type(const ObjectStoreInfoPB& obj)
{
+ return obj.has_cred_provider_type() ? obj.cred_provider_type()
+ : CredProviderTypePB::INSTANCE_PROFILE;
+}
+
static std::string_view print_cluster_status(const ClusterStatus& status) {
switch (status) {
case ClusterStatus::UNKNOWN:
@@ -679,12 +684,11 @@ static void create_object_info_with_encrypt(const
InstanceInfoPB& instance, Obje
std::string region = obj->has_region() ? obj->region() : "";
if (obj->has_role_arn()) {
- if (obj->role_arn().empty() || !obj->has_cred_provider_type() ||
- obj->cred_provider_type() != CredProviderTypePB::INSTANCE_PROFILE
||
- !obj->has_provider() || obj->provider() != ObjectStoreInfoPB::S3
|| bucket.empty() ||
- endpoint.empty() || region.empty()) {
+ if (obj->role_arn().empty() || !obj->has_cred_provider_type() ||
!obj->has_provider() ||
+ obj->provider() != ObjectStoreInfoPB::S3 || bucket.empty() ||
endpoint.empty() ||
+ region.empty()) {
code = MetaServiceCode::INVALID_ARGUMENT;
- msg = "s3 conf info err with role_arn, please check it";
+ msg = "s3 conf info err with role_arn or cred provider, please
check it";
return;
}
} else {
@@ -1037,7 +1041,7 @@ static int alter_s3_storage_vault(InstanceInfoPB&
instance, std::unique_ptr<Tran
new_vault.mutable_obj_info()->clear_encryption_info();
new_vault.mutable_obj_info()->set_role_arn(obj_info.role_arn());
-
new_vault.mutable_obj_info()->set_cred_provider_type(CredProviderTypePB::INSTANCE_PROFILE);
+
new_vault.mutable_obj_info()->set_cred_provider_type(get_cred_provider_type(obj_info));
if (obj_info.has_external_id()) {
new_vault.mutable_obj_info()->set_external_id(obj_info.external_id());
}
@@ -1170,7 +1174,7 @@ static ObjectStoreInfoPB
object_info_pb_factory(ObjectStorageDesc& obj_desc,
} else {
last_item.set_role_arn(role_arn);
last_item.set_external_id(external_id);
- last_item.set_cred_provider_type(CredProviderTypePB::INSTANCE_PROFILE);
+ last_item.set_cred_provider_type(get_cred_provider_type(obj));
}
last_item.set_bucket(bucket);
// format prefix, such as `/aa/bb/`, `aa/bb//`, `//aa/bb`, ` /aa/bb` ->
`aa/bb`
@@ -1330,9 +1334,8 @@ void
MetaServiceImpl::alter_storage_vault(google::protobuf::RpcController* contr
}
if (!role_arn.empty()) {
- if (!obj.has_cred_provider_type() ||
- obj.cred_provider_type() !=
CredProviderTypePB::INSTANCE_PROFILE ||
- !obj.has_provider() || obj.provider() !=
ObjectStoreInfoPB::S3) {
+ if (!obj.has_cred_provider_type() || !obj.has_provider() ||
+ obj.provider() != ObjectStoreInfoPB::S3) {
code = MetaServiceCode::INVALID_ARGUMENT;
msg = "s3 conf info err with role_arn, please check it";
return;
@@ -1627,7 +1630,8 @@ void
MetaServiceImpl::alter_obj_store_info(google::protobuf::RpcController* cont
return;
}
- if (it.role_arn() == role_arn && it.external_id() ==
external_id) {
+ if (it.role_arn() == role_arn && it.external_id() ==
external_id &&
+ get_cred_provider_type(it) ==
get_cred_provider_type(request->obj())) {
// not change, just return ok
code = MetaServiceCode::OK;
msg = "ak/sk not changed";
@@ -1639,7 +1643,7 @@ void
MetaServiceImpl::alter_obj_store_info(google::protobuf::RpcController* cont
it.set_role_arn(role_arn);
it.set_external_id(external_id);
-
it.set_cred_provider_type(CredProviderTypePB::INSTANCE_PROFILE);
+
it.set_cred_provider_type(get_cred_provider_type(request->obj()));
}
auto now_time = std::chrono::system_clock::now();
diff --git a/cloud/src/recycler/s3_accessor.cpp
b/cloud/src/recycler/s3_accessor.cpp
index 9c98d3dc8af..cc4384b75a5 100644
--- a/cloud/src/recycler/s3_accessor.cpp
+++ b/cloud/src/recycler/s3_accessor.cpp
@@ -20,7 +20,9 @@
#include <aws/core/auth/AWSAuthSigner.h>
#include <aws/core/auth/AWSCredentials.h>
#include <aws/core/auth/AWSCredentialsProviderChain.h>
+#include <aws/core/auth/STSCredentialsProvider.h>
#include <aws/core/client/DefaultRetryStrategy.h>
+#include <aws/core/platform/Environment.h>
#include <aws/identity-management/auth/STSAssumeRoleCredentialsProvider.h>
#include <aws/s3/S3Client.h>
#include <aws/sts/STSClient.h>
@@ -238,7 +240,12 @@ std::optional<S3Conf> S3Conf::from_obj_store_info(const
ObjectStoreInfoPB& obj_i
if (obj_info.has_role_arn() && !obj_info.role_arn().empty()) {
s3_conf.role_arn = obj_info.role_arn();
s3_conf.external_id = obj_info.external_id();
- s3_conf.cred_provider_type = CredProviderType::InstanceProfile;
+ if (obj_info.has_cred_provider_type()) {
+ s3_conf.cred_provider_type =
+
cred_provider_type_from_pb(obj_info.cred_provider_type());
+ } else {
+ s3_conf.cred_provider_type = CredProviderType::InstanceProfile;
+ }
}
}
@@ -314,6 +321,28 @@ std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
S3Accessor::_get_aws_credenti
return std::make_shared<Aws::Auth::DefaultAWSCredentialsProviderChain>();
}
+std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
S3Accessor::_create_credentials_provider(
+ CredProviderType type) {
+ switch (type) {
+ case CredProviderType::Env:
+ return
std::make_shared<Aws::Auth::EnvironmentAWSCredentialsProvider>();
+ case CredProviderType::SystemProperties:
+ return
std::make_shared<Aws::Auth::ProfileConfigFileAWSCredentialsProvider>();
+ case CredProviderType::WebIdentity:
+ return
std::make_shared<Aws::Auth::STSAssumeRoleWebIdentityCredentialsProvider>();
+ case CredProviderType::Container:
+ return std::make_shared<Aws::Auth::TaskRoleCredentialsProvider>(
+
Aws::Environment::GetEnv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI").c_str());
+ case CredProviderType::InstanceProfile:
+ return
std::make_shared<Aws::Auth::InstanceProfileCredentialsProvider>();
+ case CredProviderType::Anonymous:
+ return std::make_shared<Aws::Auth::AnonymousAWSCredentialsProvider>();
+ case CredProviderType::Default:
+ default:
+ return std::make_shared<CustomAwsCredentialsProviderChain>();
+ }
+}
+
std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
S3Accessor::_get_aws_credentials_provider_v2(
const S3Conf& s3_conf) {
if (!s3_conf.ak.empty() && !s3_conf.sk.empty()) {
@@ -322,11 +351,7 @@ std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
S3Accessor::_get_aws_credenti
return
std::make_shared<Aws::Auth::SimpleAWSCredentialsProvider>(std::move(aws_cred));
}
- if (s3_conf.cred_provider_type == CredProviderType::InstanceProfile) {
- if (s3_conf.role_arn.empty()) {
- return std::make_shared<CustomAwsCredentialsProviderChain>();
- }
-
+ if (!s3_conf.role_arn.empty()) {
Aws::Client::ClientConfiguration clientConfiguration =
S3Environment::getClientConfiguration();
if (_ca_cert_file_path.empty()) {
@@ -338,13 +363,13 @@ std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
S3Accessor::_get_aws_credenti
}
auto stsClient = std::make_shared<Aws::STS::STSClient>(
- std::make_shared<CustomAwsCredentialsProviderChain>(),
clientConfiguration);
+ _create_credentials_provider(s3_conf.cred_provider_type),
clientConfiguration);
return std::make_shared<Aws::Auth::STSAssumeRoleCredentialsProvider>(
s3_conf.role_arn, Aws::String(), s3_conf.external_id,
Aws::Auth::DEFAULT_CREDS_LOAD_FREQ_SECONDS, stsClient);
}
- return std::make_shared<CustomAwsCredentialsProviderChain>();
+ return _create_credentials_provider(s3_conf.cred_provider_type);
}
std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
S3Accessor::get_aws_credentials_provider(
diff --git a/cloud/src/recycler/s3_accessor.h b/cloud/src/recycler/s3_accessor.h
index 652f0c0681a..28d12c7f980 100644
--- a/cloud/src/recycler/s3_accessor.h
+++ b/cloud/src/recycler/s3_accessor.h
@@ -163,6 +163,9 @@ protected:
std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
_get_aws_credentials_provider_v2(
const S3Conf& s3_conf);
+ std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
_create_credentials_provider(
+ CredProviderType type);
+
std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
get_aws_credentials_provider(
const S3Conf& s3_conf);
diff --git a/common/cpp/aws_common.cpp b/common/cpp/aws_common.cpp
index c8f5e4faf47..3c7f5a0eda5 100644
--- a/common/cpp/aws_common.cpp
+++ b/common/cpp/aws_common.cpp
@@ -29,6 +29,16 @@ CredProviderType
cred_provider_type_from_pb(cloud::CredProviderTypePB cred_provi
return CredProviderType::Simple;
case cloud::CredProviderTypePB::INSTANCE_PROFILE:
return CredProviderType::InstanceProfile;
+ case cloud::CredProviderTypePB::ENV:
+ return CredProviderType::Env;
+ case cloud::CredProviderTypePB::SYSTEM_PROPERTIES:
+ return CredProviderType::SystemProperties;
+ case cloud::CredProviderTypePB::WEB_IDENTITY:
+ return CredProviderType::WebIdentity;
+ case cloud::CredProviderTypePB::CONTAINER:
+ return CredProviderType::Container;
+ case cloud::CredProviderTypePB::ANONYMOUS:
+ return CredProviderType::Anonymous;
default:
__builtin_unreachable();
LOG(WARNING) << "Invalid CredProviderTypePB value: " <<
cred_provider_type
@@ -74,4 +84,4 @@ std::string get_valid_ca_cert_path(const
std::vector<std::string>& ca_cert_file_
}
return "";
}
-}
\ No newline at end of file
+}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/catalog/S3StorageVault.java
b/fe/fe-core/src/main/java/org/apache/doris/catalog/S3StorageVault.java
index b2a8b61fff1..d312cc0e45d 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/S3StorageVault.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/S3StorageVault.java
@@ -72,6 +72,7 @@ public class S3StorageVault extends StorageVault {
public static final String BUCKET = S3Properties.BUCKET;
public static final String ROLE_ARN = S3Properties.ROLE_ARN;
public static final String EXTERNAL_ID = S3Properties.EXTERNAL_ID;
+ public static final String CREDENTIALS_PROVIDER_TYPE =
S3Properties.CREDENTIALS_PROVIDER_TYPE;
}
public static final HashSet<String> ALLOW_ALTER_PROPERTIES = new
HashSet<>(Arrays.asList(
@@ -81,7 +82,8 @@ public class S3StorageVault extends StorageVault {
PropertyKey.SECRET_KEY,
PropertyKey.USE_PATH_STYLE,
PropertyKey.ROLE_ARN,
- PropertyKey.EXTERNAL_ID
+ PropertyKey.EXTERNAL_ID,
+ PropertyKey.CREDENTIALS_PROVIDER_TYPE
));
@SerializedName(value = "properties")
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/datasource/property/storage/S3Properties.java
b/fe/fe-core/src/main/java/org/apache/doris/datasource/property/storage/S3Properties.java
index db4608be2d0..d0166e195f9 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/datasource/property/storage/S3Properties.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/datasource/property/storage/S3Properties.java
@@ -473,6 +473,7 @@ public class S3Properties extends
AbstractS3CompatibleProperties {
public static final String ROLE_ARN = "AWS_ROLE_ARN";
public static final String EXTERNAL_ID = "AWS_EXTERNAL_ID";
+ public static final String CREDENTIALS_PROVIDER_TYPE =
"AWS_CREDENTIALS_PROVIDER_TYPE";
public static final List<String> REQUIRED_FIELDS =
Arrays.asList(ENDPOINT);
public static final List<String> FS_KEYS = Arrays.asList(ENDPOINT,
REGION, ACCESS_KEY, SECRET_KEY, TOKEN,
@@ -562,6 +563,68 @@ public class S3Properties extends
AbstractS3CompatibleProperties {
if (properties.containsKey(Env.EXTERNAL_ID)) {
properties.putIfAbsent(EXTERNAL_ID,
properties.get(Env.EXTERNAL_ID));
}
+
+ if (properties.containsKey(Env.CREDENTIALS_PROVIDER_TYPE)) {
+ properties.putIfAbsent(CREDENTIALS_PROVIDER_TYPE,
properties.get(Env.CREDENTIALS_PROVIDER_TYPE));
+ }
+ }
+
+ private static AwsCredentialsProviderMode
getCredentialsProviderMode(Map<String, String> properties,
+ AwsCredentialsProviderMode defaultMode) {
+ String mode = properties.get(CREDENTIALS_PROVIDER_TYPE);
+ if (StringUtils.isBlank(mode)) {
+ mode = properties.get(Env.CREDENTIALS_PROVIDER_TYPE);
+ }
+ if (StringUtils.isBlank(mode)) {
+ return defaultMode;
+ }
+ return AwsCredentialsProviderMode.fromString(mode);
+ }
+
+ private static CredProviderTypePB getCredProviderTypePB(Map<String,
String> properties) {
+ AwsCredentialsProviderMode mode =
getCredentialsProviderMode(properties,
+ AwsCredentialsProviderMode.INSTANCE_PROFILE);
+ switch (mode) {
+ case DEFAULT:
+ return CredProviderTypePB.DEFAULT;
+ case ENV:
+ return CredProviderTypePB.ENV;
+ case SYSTEM_PROPERTIES:
+ return CredProviderTypePB.SYSTEM_PROPERTIES;
+ case WEB_IDENTITY:
+ return CredProviderTypePB.WEB_IDENTITY;
+ case CONTAINER:
+ return CredProviderTypePB.CONTAINER;
+ case INSTANCE_PROFILE:
+ return CredProviderTypePB.INSTANCE_PROFILE;
+ case ANONYMOUS:
+ return CredProviderTypePB.ANONYMOUS;
+ default:
+ throw new IllegalArgumentException("Unsupported AWS
credentials provider mode: " + mode);
+ }
+ }
+
+ private static TCredProviderType getTCredProviderType(Map<String, String>
properties) {
+ AwsCredentialsProviderMode mode =
getCredentialsProviderMode(properties,
+ AwsCredentialsProviderMode.INSTANCE_PROFILE);
+ switch (mode) {
+ case DEFAULT:
+ return TCredProviderType.DEFAULT;
+ case ENV:
+ return TCredProviderType.ENV;
+ case SYSTEM_PROPERTIES:
+ return TCredProviderType.SYSTEM_PROPERTIES;
+ case WEB_IDENTITY:
+ return TCredProviderType.WEB_IDENTITY;
+ case CONTAINER:
+ return TCredProviderType.CONTAINER;
+ case INSTANCE_PROFILE:
+ return TCredProviderType.INSTANCE_PROFILE;
+ case ANONYMOUS:
+ return TCredProviderType.ANONYMOUS;
+ default:
+ throw new IllegalArgumentException("Unsupported AWS
credentials provider mode: " + mode);
+ }
}
private static final Pattern IPV4_PORT_PATTERN =
Pattern.compile("((?:\\d{1,3}\\.){3}\\d{1,3}:\\d{1,5})");
@@ -638,7 +701,7 @@ public class S3Properties extends
AbstractS3CompatibleProperties {
if (properties.containsKey(S3Properties.EXTERNAL_ID)) {
builder.setExternalId(properties.get(S3Properties.EXTERNAL_ID));
}
- builder.setCredProviderType(CredProviderTypePB.INSTANCE_PROFILE);
+ builder.setCredProviderType(getCredProviderTypePB(properties));
}
return builder;
@@ -652,7 +715,7 @@ public class S3Properties extends
AbstractS3CompatibleProperties {
if (properties.containsKey(S3Properties.EXTERNAL_ID)) {
s3Info.setExternalId(properties.get(S3Properties.EXTERNAL_ID));
}
- s3Info.setCredProviderType(TCredProviderType.INSTANCE_PROFILE);
+ s3Info.setCredProviderType(getTCredProviderType(properties));
}
s3Info.setEndpoint(properties.get(S3Properties.ENDPOINT));
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/datasource/property/storage/S3PropertiesTest.java
b/fe/fe-core/src/test/java/org/apache/doris/datasource/property/storage/S3PropertiesTest.java
index abe52d64cc4..97bb862df33 100644
---
a/fe/fe-core/src/test/java/org/apache/doris/datasource/property/storage/S3PropertiesTest.java
+++
b/fe/fe-core/src/test/java/org/apache/doris/datasource/property/storage/S3PropertiesTest.java
@@ -17,9 +17,13 @@
package org.apache.doris.datasource.property.storage;
+import org.apache.doris.catalog.S3StorageVault;
+import org.apache.doris.cloud.proto.Cloud.CredProviderTypePB;
import org.apache.doris.common.Config;
import org.apache.doris.common.ExceptionChecker;
import org.apache.doris.common.UserException;
+import org.apache.doris.thrift.TCredProviderType;
+import org.apache.doris.thrift.TS3StorageParam;
import com.google.common.collect.Maps;
import org.junit.jupiter.api.Assertions;
@@ -260,6 +264,34 @@ public class S3PropertiesTest {
Assertions.assertNull(backendProperties.get("AWS_EXTERNAL_ID"));
}
+ @Test
+ public void testS3IamRoleCredentialsProviderTypeForCloudAndThrift() {
+ origProps.put("s3.endpoint", "s3.us-west-2.amazonaws.com");
+ origProps.put("s3.region", "us-west-2");
+ origProps.put("s3.bucket", "bucket");
+ origProps.put("s3.root.path", "root");
+ origProps.put("s3.role_arn",
"arn:aws:iam::123456789012:role/MyTestRole");
+
+ Assertions.assertEquals(CredProviderTypePB.INSTANCE_PROFILE,
+
S3Properties.getObjStoreInfoPB(origProps).getCredProviderType());
+ TS3StorageParam s3StorageParam =
S3Properties.getS3TStorageParam(origProps);
+ Assertions.assertEquals(TCredProviderType.INSTANCE_PROFILE,
s3StorageParam.getCredProviderType());
+
+ origProps.put("s3.credentials_provider_type", "container");
+ Assertions.assertEquals(CredProviderTypePB.CONTAINER,
+
S3Properties.getObjStoreInfoPB(origProps).getCredProviderType());
+ s3StorageParam = S3Properties.getS3TStorageParam(origProps);
+ Assertions.assertEquals(TCredProviderType.CONTAINER,
s3StorageParam.getCredProviderType());
+
+ origProps.remove("s3.credentials_provider_type");
+ origProps.put("AWS_CREDENTIALS_PROVIDER_TYPE", "env");
+ Assertions.assertEquals(CredProviderTypePB.ENV,
+
S3Properties.getObjStoreInfoPB(origProps).getCredProviderType());
+ s3StorageParam = S3Properties.getS3TStorageParam(origProps);
+ Assertions.assertEquals(TCredProviderType.ENV,
s3StorageParam.getCredProviderType());
+
Assertions.assertTrue(S3StorageVault.ALLOW_ALTER_PROPERTIES.contains(S3Properties.CREDENTIALS_PROVIDER_TYPE));
+ }
+
@Test
public void testGetAwsCredentialsProviderWithIamRoleAndExternalId() {
diff --git a/gensrc/proto/cloud.proto b/gensrc/proto/cloud.proto
index 710a0b0dd79..d16f30cb53f 100644
--- a/gensrc/proto/cloud.proto
+++ b/gensrc/proto/cloud.proto
@@ -269,6 +269,11 @@ enum CredProviderTypePB {
DEFAULT = 1; // DefaultAWSCredentialsProviderChain
SIMPLE = 2; // SimpleAWSCredentialsProvider, corresponding to (ak, sk)
INSTANCE_PROFILE = 3; // InstanceProfileCredentialsProvider
+ ENV = 4; // EnvironmentAWSCredentialsProvider
+ SYSTEM_PROPERTIES = 5; // SystemPropertiesCredentialsProvider
+ WEB_IDENTITY = 6; // STSAssumeRoleWebIdentityCredentialsProvider
+ CONTAINER = 7; // TaskRoleCredentialsProvider
+ ANONYMOUS = 8; // AnonymousAWSCredentialsProvider
}
message ObjectStoreInfoPB {
diff --git a/gensrc/thrift/AgentService.thrift
b/gensrc/thrift/AgentService.thrift
index de1354f4de3..663e5376f9f 100644
--- a/gensrc/thrift/AgentService.thrift
+++ b/gensrc/thrift/AgentService.thrift
@@ -92,7 +92,12 @@ enum TCredProviderType {
// used for creating different credentials provider when creating s3client
DEFAULT = 0, // DefaultAWSCredentialsProviderChain
SIMPLE = 1, // SimpleAWSCredentialsProvider, corresponding to (ak, sk)
- INSTANCE_PROFILE = 2 // InstanceProfileCredentialsProvider
+ INSTANCE_PROFILE = 2, // InstanceProfileCredentialsProvider
+ ENV = 3, // EnvironmentAWSCredentialsProvider
+ SYSTEM_PROPERTIES = 4, // SystemPropertiesCredentialsProvider
+ WEB_IDENTITY = 5, // STSAssumeRoleWebIdentityCredentialsProvider
+ CONTAINER = 6, // TaskRoleCredentialsProvider
+ ANONYMOUS = 7 // AnonymousAWSCredentialsProvider
}
struct TS3StorageParam {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
