Renkai commented on a change in pull request #9387:
URL: https://github.com/apache/pulsar/pull/9387#discussion_r567552200
##########
File path:
tiered-storage/jcloud/src/main/java/org/apache/bookkeeper/mledger/offload/jcloud/provider/JCloudBlobStoreProvider.java
##########
@@ -304,33 +305,40 @@ public ProviderMetadata getProviderMetadata() {
static final CredentialBuilder AWS_CREDENTIAL_BUILDER =
(TieredStorageConfiguration config) -> {
if (config.getCredentials() == null) {
- AWSCredentials awsCredentials = null;
+ AWSCredentialsProvider authChain = null;
try {
if
(Strings.isNullOrEmpty(config.getConfigProperty(S3_ROLE_FIELD))) {
- awsCredentials =
DefaultAWSCredentialsProviderChain.getInstance().getCredentials();
+ authChain =
DefaultAWSCredentialsProviderChain.getInstance();
} else {
- awsCredentials =
+ authChain =
new
STSAssumeRoleSessionCredentialsProvider.Builder(
config.getConfigProperty(S3_ROLE_FIELD),
config.getConfigProperty(S3_ROLE_SESSION_NAME_FIELD)
- ).build().getCredentials();
- }
-
- if (awsCredentials instanceof AWSSessionCredentials) {
- // if we have session credentials, we need to send the
session token
- // this allows us to support EC2 metadata credentials
- SessionCredentials sessionCredentials =
SessionCredentials.builder()
- .accessKeyId(awsCredentials.getAWSAccessKeyId())
- .secretAccessKey(awsCredentials.getAWSSecretKey())
- .sessionToken(((AWSSessionCredentials)
awsCredentials).getSessionToken())
- .build();
- config.setProviderCredentials(() -> sessionCredentials);
- } else {
- Credentials credentials = new Credentials(
- awsCredentials.getAWSAccessKeyId(),
awsCredentials.getAWSSecretKey());
- config.setProviderCredentials(() -> credentials);
+ ).build();
}
+ // Important! Delay the building of actual credentials
+ // until later to support tokens that may be refreshed
+ // such as all session tokens
+ AWSCredentialsProvider finalAuthChain = authChain;
+ config.setProviderCredentials(() -> {
+ AWSCredentials newCreds = finalAuthChain.getCredentials();
+ Credentials jcloudCred = null;
+
+ if (newCreds instanceof AWSSessionCredentials) {
+ // if we have session credentials, we need to send the
session token
+ // this allows us to support EC2 metadata credentials
+ jcloudCred = SessionCredentials.builder()
+ .accessKeyId(newCreds.getAWSAccessKeyId())
+ .secretAccessKey(newCreds.getAWSSecretKey())
+ .sessionToken(((AWSSessionCredentials)
newCreds).getSessionToken())
+ .build();
+ } else {
+ jcloudCred = new Credentials(
Review comment:
Will we, or should we still go into this if branch in our new
implementation?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
