I thought these emails were supposed to go to comm...@druid.apache.org? I do see a bunch on that list from today, so maybe this was a weird gitbox snafu.
On Sun, Apr 3, 2022 at 10:53 PM GitBox <g...@apache.org> wrote: > > cryptoe commented on code in PR #12339: > URL: https://github.com/apache/druid/pull/12339#discussion_r841385835 > > > ########## > > extensions-core/s3-extensions/src/main/java/org/apache/druid/data/input/s3/S3InputSource.java: > ########## > @@ -166,15 +175,21 @@ private void applyAssumeRole( > AWSCredentialsProvider awsCredentialsProvider > ) > { > - String assumeRoleArn = s3InputSourceConfig.getAssumeRoleArn(); > - if (assumeRoleArn != null) { > + // Do not run if WebIdentityToken file and assumeRole ARN are > detected from the environment variable, > + // we want the default s3ClientBuilder behavior for ServiceAccount + > eks.amazonaws.com/role-arn annotation to work. > > Review Comment: > Based on reading: > https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html > IMHO `AWS_WEB_IDENTITY_TOKEN_FILE` should be the lowest priority of > authentication that we should support as it looks like its more supported > for short duration access to AWS services. > However, I would somehow first check why AWS_ROLE_ARN got picked up. > Are you specifying it in the ingestion spec somewhere? > > > > > > -- > This is an automated message from the Apache Git Service. > To respond to the message, please log on to GitHub and use the > URL above to go to the specific comment. > > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > > For queries about this service, please contact Infrastructure at: > us...@infra.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > For additional commands, e-mail: dev-h...@druid.apache.org > >