GitHub user michaelkoepf edited a comment on the discussion: [Roadmap] Planning 0.9 Release
hi. @wuchong i think i can also answer it. @ka-steve #1245 introduces the ability to configure fluss so that each component authenticates itself separately via its own credentials, rather than relying on those distributed by the fluss server. this includes authentication via aws credential providers that use temporary credentials that are made available on the instance by aws (e.g., `org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider`). in other words, if all fluss components (server/client) run on aws, #1245 allows each component to authenticate itself separately using _temporary credentials provided by aws_ on the instance it runs on. currently, fluss relies on token delegation and does not support separate authentication for each component. this is because the server attempts to obtain a security token via sts using its access key and secret (embedded long term credentials), as shown [here](https://github.com/apache/fluss/blob/ae84521aaaef5448a0bc5a63fc83e6ca536ca452/fluss-filesystems/fluss-fs-s3/src/main/java/org/apache/fluss/fs/s3/token/S3DelegationTokenProvider.java#L73). the client expects to receive a security token from the server on _initialization_ of the file system and fails if there is no token, see [here](https://github.com/apache/fluss/blob/ae84521aaaef5448a0bc5a63fc83e6ca536ca452/fluss-filesystems/fluss-fs-obs/src/main/java/org/apache/fluss/fs/obs/token/OBSSecurityTokenReceiver.java#L66). further details are also available in the updated documentation for #1245, see [here](https://github.com/apache/fluss/blob/2c7731b89381eee2d665a0f786065b0cffdc9e60/website/docs/maintenance/filesystems/s3.md). GitHub link: https://github.com/apache/fluss/discussions/1911#discussioncomment-15052300 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
