Skip to content

feat(s3): support IAM role and default credential provider chain for s3:// crawling#174

Open
marevol wants to merge 2 commits into
masterfrom
feature/s3-default-credential-chain
Open

feat(s3): support IAM role and default credential provider chain for s3:// crawling#174
marevol wants to merge 2 commits into
masterfrom
feature/s3-default-credential-chain

Conversation

@marevol

@marevol marevol commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

The s3:// crawler client (S3Client) previously required accessKey, secretKey, and endpoint, throwing CrawlingAccessException when any was blank — before the AWS SDK client was even built. This made it impossible to crawl s3:// targets using an IAM role / instance profile / ECS task role / EKS IRSA, even though AWS SDK v2 supports the default credential provider chain out of the box.

This change makes accessKey, secretKey, and endpoint optional so IAM-role–based crawling works, while keeping existing static-credential / S3-compatible (MinIO) configurations behavior-identical. The same conditional-credentials pattern is already used by the sibling net.protocol.s3.Handler and by GcsClient.

Behavior

endpoint accessKey/secretKey behavior
set both set identical to before (endpointOverride + forcePathStyle + static credentials)
set both blank S3-compatible endpoint via the default credential chain
blank both set standard Amazon S3 (region-derived endpoint) + static credentials
blank both blank standard Amazon S3 + IAM role / default credential chain
any exactly one set CrawlingAccessException (fail fast on misconfiguration)
  • When endpoint is blank, the endpoint is derived from region (virtual-hosted style). endpointOverride + forcePathStyle(true) are retained when endpoint is set, for MinIO and other S3-compatible storage.
  • region still defaults to us-east-1; for standard Amazon S3 it should be set to the bucket's region (there is no automatic region resolution).
  • When both keys are blank, no credentials provider is set, so the AWS SDK falls back to DefaultCredentialsProvider (IAM role / instance profile / ECS task role / EKS IRSA / environment / profile).

Tests

Adds three S3ClientTest cases covering init with blank credentials (endpoint set), partial credentials (fail fast), and no endpoint / no credentials. builder.build() performs no network I/O and the default credential provider resolves lazily, so these run offline. Full S3ClientTest passes (10 tests).

Note: real IMDS / IAM-role authentication cannot be exercised in CI; the tests verify that client construction succeeds or fails fast, relying on the AWS SDK's documented default-credential-chain behavior.

Notes / follow-ups (not in this PR)

  • The storage:// client (StorageClient, MinIO SDK) has the same mandatory-credentials limitation and could get equivalent optional-credential support (MinIO's IamAwsProvider).
  • Documentation (fess-docs file-crawling config guide) could document the IAM-role usage.

marevol added 2 commits July 5, 2026 22:56
…s3:// crawling

Make accessKey, secretKey, and endpoint optional in S3Client so s3://
crawling can authenticate via the AWS default credential provider chain
(IAM role / instance profile / ECS task role / EKS IRSA / environment /
profile) instead of requiring static credentials.

- When both accessKey and secretKey are blank, no credentials provider is
  set and the AWS SDK falls back to the default provider chain.
- When endpoint is blank, the endpoint is derived from the region for
  standard Amazon S3 (virtual-hosted style); endpoint override and
  path-style access are kept for MinIO / S3-compatible storage.
- Setting exactly one of accessKey / secretKey fails fast, since a partial
  pair is almost always a misconfiguration.

Existing configurations that set endpoint plus both keys are
behavior-preserving. Adds tests for the blank-credentials, partial-
credentials, and no-endpoint init paths.
When no endpoint is configured (standard Amazon S3), enable the AWS SDK
cross-region access so buckets in any region are reachable without setting
"region" to match. This avoids a 301 PermanentRedirect on every object when
the default region does not match the bucket's region. Add an optional
"crossRegionAccessEnabled" init parameter (default true) to opt out; it is
ignored when an endpoint override is set (MinIO/S3-compatible storage).

Move the Docker-free init tests to a new S3ClientInitTest and expand coverage
(reverse credential XOR, standard S3 with static keys, cross-region
enabled/disabled/ignored), asserting the actual cross-region branch selection.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant