Skip to content

Improve AWS credential errors#187

Merged
ghukill merged 2 commits into
mainfrom
bug-bad-aws-creds-confusing-error-message
May 15, 2026
Merged

Improve AWS credential errors#187
ghukill merged 2 commits into
mainfrom
bug-bad-aws-creds-confusing-error-message

Conversation

@ghukill
Copy link
Copy Markdown
Contributor

@ghukill ghukill commented May 15, 2026
edited
Loading

Purpose and background context

Why these changes are being introduced:

There are two main buckets (no pun intended) in which AWS credentials can fail:

  1. They are not set or stale
  2. They are pointing at the wrong environment

The error reporting for both is poor, with opaque DuckDB or boto3 errors.
For DuckDB it's during secret construction, and makes me mention of AWS.
For boto3, it's checking that destination bucket exists, which is better
but still confusing.

How this addresses that need:

  • Catches AWS related errors in very different parts of the codebase,
    surfacing a normalized error message that something is wrong with AWS
    credentials.

How can a reviewer manually see the effects of these changes?

Previously, missing or stale credentials would throw an error like this:

...
_duckdb.Error: Secret Validation Failure: during `create` using the following:
Credential Chain: 'config'

And incorrect credentials (e.g. wrong environment) would look like this:

...
botocore.exceptions.ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden

With the changes, they both now look like this:

timdex_dataset_api.exceptions.AWSCredentialsError: AWS credentials absent or insufficient. Please ensure they are set and pointing at the right TIMDEX dataset environment.

See the new tests for come commentary / explanation of how to recreate (pointing at wrong environment and/or unsetting AWS credentials completely).

Includes new or updated dependencies?

NO

Changes expectations for external applications?

NO

What are the relevant tickets?

  • None

Code review

  • Code review best practices are documented here and you are encouraged to have a constructive dialogue with your reviewers about their preferences and expectations.

ghukill added 2 commits May 15, 2026 12:56
@ghukill
Improve AWS credential error reporting
b4bb5a4 
Why these changes are being introduced:

There are two main buckets (no pun intended) in which AWS credentials can fail:

1. They are not set or stale
2. They are pointing at the wrong environment

The error reporting for both is poor, with opaque DuckDB or boto3 errors.
For DuckDB it's during secret construction, and makes me mention of AWS.
For boto3, it's checking that destination bucket exists, which is better
but still confusing.

How this addresses that need:
* Catches AWS related errors in very different parts of the codebase,
surfacing a normalized error message that something is wrong with AWS
credentials.

Side effects of this change:
* None

Relevant ticket(s):
* None
@ghukill
Bump version to 5.0.1
57556e0
@ghukill ghukill requested a review from a team as a code owner May 15, 2026 17:02
ehanson8
ehanson8 approved these changes May 15, 2026
View reviewed changes
Copy link
Copy Markdown

@ehanson8 ehanson8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smart update!

@ghukill ghukill merged commit 90dac92 into main May 15, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehanson8 ehanson8 ehanson8 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ghukill @ehanson8