[jira] [Created] (HADOOP-19535) S3A : Add WebIdentityTokenFileCredentialsProvider to default S3 credential provider chain

[Syed Shameerur Rahman (Jira)]

Syed Shameerur Rahman created HADOOP-19535:
----------------------------------------------

             Summary: S3A : Add WebIdentityTokenFileCredentialsProvider to 
default S3 credential provider chain
                 Key: HADOOP-19535
                 URL: https://issues.apache.org/jira/browse/HADOOP-19535
             Project: Hadoop Common
          Issue Type: Improvement
          Components: fs/s3
            Reporter: Syed Shameerur Rahman
            Assignee: Syed Shameerur Rahman


The current default s3 credential provider chain is set in the order of 
{code:java}
org.apache.hadoop.fs.s3a.TemporaryAWSCredentialsProvider,org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider,software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider,org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider{code}
Refer [code ref 
|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml#L1450]for
 more details.

 

This works perfectly fine when used in AWS EC2, EMR Serverless, but not with 
AWS EKS pods.

 

For EKS pods, It is recommended to use 
{color:#1d1c1d}software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider{color}

WebIdentityTokenFileCredentialsProvider is an AWS credentials provider that 
enables applications to obtain temporary AWS credentials by assuming an IAM 
role using a web identity token (like OAuth or OIDC tokens). It's particularly 
important in EKS as it's the underlying mechanism that makes IRSA (IAM Roles 
for Service Accounts) work.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org