[
https://issues.apache.org/jira/browse/HADOOP-19535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18007386#comment-18007386
]
ASF GitHub Bot commented on HADOOP-19535:
-----------------------------------------
shameersss1 commented on code in PR #7802:
URL: https://github.com/apache/hadoop/pull/7802#discussion_r2209256436
##########
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/AWSCredentialProviderList.java:
##########
@@ -197,7 +197,17 @@ public AwsCredentials resolveCredentials() {
} catch (SdkException e) {
lastException = e;
LOG.debug("No credentials provided by {}: {}",
- provider, e.toString(), e);
+ provider, e);
+ } catch (Exception e) {
+ // convert any other exception into SDKException.
+ // This is required because some credential provider like
+ // WebIdentityTokenFileCredentialsProvider might throw
+ // exceptions other than SdkException.
+ if (e.getMessage() != null) {
+ lastException = SdkException.create(e.getMessage(), e);
+ }
+ LOG.debug("No credentials provided by {}: {}",
Review Comment:
Make sense!
> S3A : Add WebIdentityTokenFileCredentialsProvider to default S3 credential
> provider chain
> -----------------------------------------------------------------------------------------
>
> Key: HADOOP-19535
> URL: https://issues.apache.org/jira/browse/HADOOP-19535
> Project: Hadoop Common
> Issue Type: Improvement
> Components: fs/s3
> Reporter: Syed Shameerur Rahman
> Assignee: Syed Shameerur Rahman
> Priority: Major
> Labels: pull-request-available
>
> The current default s3 credential provider chain is set in the order of
> {code:java}
> org.apache.hadoop.fs.s3a.TemporaryAWSCredentialsProvider,org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider,software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider,org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider{code}
> Refer [code ref
> |https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml#L1450]for
> more details.
>
> This works perfectly fine when used in AWS EC2, EMR Serverless, but not with
> AWS EKS pods.
>
> For EKS pods, It is recommended to use
> {code:java}
> software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider
> , software.amazon.awssdk.auth.credentials.ContainerCredentialsProvider
> (PodIdentity is enabled){code}
> WebIdentityTokenFileCredentialsProvider is an AWS credentials provider that
> enables applications to obtain temporary AWS credentials by assuming an IAM
> role using a web identity token (like OAuth or OIDC tokens). It's
> particularly important in EKS as it's the underlying mechanism that makes
> IRSA (IAM Roles for Service Accounts) work.
>
>
> ContainerCredentialsProvider is already part of
> org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
