Skip to content

[filesystem] Support AssumeRole STS for RustFS#2989

Open
fresh-borzoni wants to merge 1 commit intoapache:mainfrom
fresh-borzoni:fix-s3-sts-assume-role
Open

[filesystem] Support AssumeRole STS for RustFS#2989
fresh-borzoni wants to merge 1 commit intoapache:mainfrom
fresh-borzoni:fix-s3-sts-assume-role

Conversation

@fresh-borzoni
Copy link
Copy Markdown
Contributor

@fresh-borzoni fresh-borzoni commented Apr 3, 2026
edited
Loading

Summary

closes #2661

Fix verified end-to-end against RustFS following #2569
for tiering setup you may consult this: lakekeeper/lakekeeper#1688 in order to make it work with iceberg and lakekeeper

Before fix:

  SecurityTokenException: Failed to get file access security token: Region is not set.
  -> NoAwsCredentialsException: Dynamic session credentials for Fluss: No AWS Credentials
  ->  Flink job FAILED

After fix:

  S3DelegationTokenProvider - Obtaining session credentials via AssumeRole with access key: rustfsadmin, role: arn:xxx:xxx:xxx:xxxx
  S3DelegationTokenProvider - Session credentials obtained successfully with access key: I4MVXCHH4OV01YLLA9MC
  S3DelegationTokenReceiver - Session credentials updated successfully
  -> Flink job RUNNING

Config required for RustFS users:

  s3.region: us-east-1
  s3.assumed.role.arn: arn:xxx:xxx:xxx:xxxx
  s3.assumed.role.sts.endpoint: http://rustfs:9000

Backward compatibility:

  • Without s3.assumed.role.arn, falls back to GetSessionToken (existing AWS behavior)
  • Zero breaking changes for existing users

@fresh-borzoni
Copy link
Copy Markdown
Contributor Author

fresh-borzoni commented Apr 3, 2026

@leekeiabstraction @luoyuxia @wuchong
PTAL 🙏

@fresh-borzoni fresh-borzoni force-pushed the fix-s3-sts-assume-role branch from 1329a67 to 4351e0a Compare April 3, 2026 00:31
@luoyuxia luoyuxia requested a review from Copilot April 3, 2026 01:35
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends Fluss’s S3 delegation-token acquisition to support RustFS/MinIO-style STS by allowing AssumeRole (instead of only GetSessionToken) and by supporting a configurable STS endpoint.

Changes:

  • Add support for obtaining temporary credentials via AssumeRole when fs.s3a.assumed.role.arn is configured.
  • Add support for using a custom STS endpoint via fs.s3a.assumed.role.sts.endpoint.
  • Refactor STS client construction into a helper method.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

...ystems/fluss-fs-s3/src/main/java/org/apache/fluss/fs/s3/token/S3DelegationTokenProvider.java
Comment on lines 83 to +86
public ObtainedSecurityToken obtainSecurityToken() {
LOG.info("Obtaining session credentials token with access key: {}", accessKey);

AWSSecurityTokenService stsClient =
AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(region)
.withCredentials(
new AWSStaticCredentialsProvider(
new BasicAWSCredentials(accessKey, secretKey)))
.build();
GetSessionTokenResult sessionTokenResult = stsClient.getSessionToken();
Credentials credentials = sessionTokenResult.getCredentials();
AWSSecurityTokenService stsClient = buildStsClient();
Credentials credentials;

Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AWSSecurityTokenService client is created per obtainSecurityToken() call but never shut down. In AWS SDK v1 this can keep HTTP resources/threads alive; consider wrapping usage in try/finally and calling stsClient.shutdown() (or close() if available) after the STS call completes.

Copilot uses AI. Check for mistakes.
...ystems/fluss-fs-s3/src/main/java/org/apache/fluss/fs/s3/token/S3DelegationTokenProvider.java
Comment on lines +87 to +91
if (roleArn != null) {
LOG.info(
"Obtaining session credentials via AssumeRole with access key: {}, role: {}",
accessKey,
roleArn);
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The roleArn != null check treats an empty/blank config value as enabled and will attempt AssumeRole with an invalid ARN, producing a hard-to-diagnose STS error. Consider normalizing config values (e.g., trim) and validating roleArn is non-blank before entering the AssumeRole branch; otherwise fall back to GetSessionToken or fail fast with a clear message.

Copilot uses AI. Check for mistakes.
...ystems/fluss-fs-s3/src/main/java/org/apache/fluss/fs/s3/token/S3DelegationTokenProvider.java
Comment on lines +115 to +120
private AWSSecurityTokenService buildStsClient() {
AWSSecurityTokenServiceClientBuilder builder =
AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(
new AWSStaticCredentialsProvider(
new BasicAWSCredentials(accessKey, secretKey)));
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

buildStsClient() constructs BasicAWSCredentials(accessKey, secretKey) without validating accessKey/secretKey are set. If either is missing, this will fail with a low-level exception; consider adding explicit null/blank checks with a clearer error explaining which S3 config keys must be provided to obtain delegation tokens.

Copilot uses AI. Check for mistakes.
...ystems/fluss-fs-s3/src/main/java/org/apache/fluss/fs/s3/token/S3DelegationTokenProvider.java
Comment on lines +87 to +98
if (roleArn != null) {
LOG.info(
"Obtaining session credentials via AssumeRole with access key: {}, role: {}",
accessKey,
roleArn);
AssumeRoleRequest request =
new AssumeRoleRequest()
.withRoleArn(roleArn)
.withRoleSessionName("fluss-" + UUID.randomUUID());
AssumeRoleResult result = stsClient.assumeRole(request);
credentials = result.getCredentials();
} else {
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New AssumeRole path (roleArn branch) is not covered by existing S3 token IT cases (they only exercise GetSessionToken). Consider adding a focused test that verifies the AssumeRole request is used when fs.s3a.assumed.role.arn is configured (e.g., by extracting an STS client factory for mocking, or by using a local STS-compatible endpoint in tests).

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support obtain sts token from rustfs

2 participants

@fresh-borzoni