Skip to content

[improvement](cloud) Support configurable S3 credentials providers#62788

Merged
hello-stephen merged 1 commit into
apache:masterfrom
wyxxxcat:fe_parser_credential_type
May 13, 2026
Merged

[improvement](cloud) Support configurable S3 credentials providers#62788
hello-stephen merged 1 commit into
apache:masterfrom
wyxxxcat:fe_parser_credential_type

Conversation

@wyxxxcat

@wyxxxcat wyxxxcat commented Apr 24, 2026

Copy link
Copy Markdown
Collaborator

What problem does this PR solve?

Support configuring the AWS S3 credentials provider type for cloud storage vaults and S3 storage parameters. This allows IAM role based access to use providers other than instance profile, such as environment, system
properties, web identity, container, default chain, and anonymous credentials. The credential provider type is propagated through FE properties, thrift/proto definitions, meta service storage vault handling, and cloud
recycler S3 accessor creation.

CREATE storage vault IF NOT EXISTS s3_vault_2
    PROPERTIES (
    "type"="S3",
    "s3.endpoint"="xxx",
    "s3.role_arn" = "xxx",
    "s3.region" = "us-west-1",
    "s3.root.path" = "xxx",
    "s3.bucket" = "xxx",
    "provider" = "S3",
    "use_path_style" = "false",
    "s3.credentials_provider_type" = "WEB_IDENTITY",
    "s3_validity_check" = "false"
);

curl "127.0.0.1:5678/MetaService/http/get_obj_store_info
{
    "id": "3",
    "name": "s3_vault_2",
    "obj_info": {
        "ctime": "1777011933",
        "mtime": "1777011933",
        "id": "3",
        "bucket": "xxx",
        "prefix": "wyx_test",
        "endpoint": "xxx",
        "region": "us-west-1",
        "provider": "S3",
        "external_endpoint": "",
        "sse_enabled": true,
        "use_path_style": false,
        "cred_provider_type": "WEB_IDENTITY",
        "role_arn": "xxx",
        "external_id": ""
    }
}

Issue Number: close #xxx

Related PR: #xxx

Problem Summary:

Release note

None

Check List (For Author)

  • Test

    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason
  • Behavior changed:

    • No.
    • Yes.
  • Does this need documentation?

    • No.
    • Yes.

Check List (For Reviewer who merge this PR)

  • Confirm the release note
  • Confirm test cases
  • Confirm document
  • Add branch pick label

@Thearas

Thearas commented Apr 24, 2026

Copy link
Copy Markdown
Contributor

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@wyxxxcat
wyxxxcat requested a review from CalvinKirs April 24, 2026 06:30
@wyxxxcat
wyxxxcat force-pushed the fe_parser_credential_type branch from bc6765a to f769e01 Compare April 24, 2026 06:31
@wyxxxcat

Copy link
Copy Markdown
Collaborator Author

/review

@wyxxxcat
wyxxxcat force-pushed the fe_parser_credential_type branch from f769e01 to 24f241c Compare April 24, 2026 06:36
@wyxxxcat

Copy link
Copy Markdown
Collaborator Author

run buildall

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't approve this PR as-is because the new credential-provider support is only partially wired through the FE/BE/cloud paths.

  • Goal / correctness: Not met yet. The PR aims to support configurable S3 credential providers for cloud storage vaults and S3 storage parameters, but several user-visible paths still drop or mis-handle the new setting.
  • Scope / focus: The diff is focused, but the feature is incomplete because not all receivers and alter flows were updated.
  • Concurrency: No new concurrency or lock-order issue stood out in the touched code.
  • Lifecycle: No new special lifecycle problem was identified in the touched paths.
  • Config changes: No new config item was added, but existing aws_credentials_provider_version still supports both v1 and v2, so both paths must behave correctly.
  • Compatibility: The thrift/proto enum expansion is not safe yet because not every consumer understands the new values.
  • Parallel code paths: Not fully updated. The SQL vault alter path, MetaService ALTER_OBJ_INFO path, and supported v1 provider-selection path still diverge.
  • Conditional logic: The new alter logic still ignores cred_provider_type in one live path.
  • Test coverage: FE unit coverage was added for role-based mapping, but coverage is still missing for non-role TS3StorageParam, BE thrift decoding, ALTER STORAGE VAULT provider-only updates, alter_obj_info, and v1 behavior.
  • Observability: Existing logging looks sufficient for this change.
  • Persistence / metadata: Existing transaction/persistence structure looks fine, but the altered provider type is not written in all paths.
  • Data writes: No new data-plane atomicity issue was identified beyond the metadata propagation bugs above.
  • FE-BE variable propagation: Incomplete; the new field/enums are not handled consistently on the receiving side.
  • Performance: No material performance issue found in the changed code.
  • User focus: No additional user-provided review focus was supplied.

Please fix the propagation/alter-path gaps and add end-to-end tests for the missing scenarios before merging.

SIMPLE = 1, // SimpleAWSCredentialsProvider, corresponding to (ak, sk)
INSTANCE_PROFILE = 2 // InstanceProfileCredentialsProvider
INSTANCE_PROFILE = 2, // InstanceProfileCredentialsProvider
ENV = 3, // EnvironmentAWSCredentialsProvider

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding new thrift enum values here also requires updating the BE decoder in be/src/util/s3_util.cpp::cred_provider_type_from_thrift(). That switch still handles only DEFAULT, SIMPLE, and INSTANCE_PROFILE; when FE sends one of these new values through TS3StorageParam (for example from PushStoragePolicyTask), BE falls into the default arm. Because that arm contains __builtin_unreachable(), this is undefined behavior rather than a safe fallback.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@@ -1639,7 +1642,7 @@

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ALTER_OBJ_INFO still cannot change cred_provider_type. The early-return above only compares role_arn and external_id, and this assignment reads from the existing record it instead of the request object. So /MetaService/http/alter_obj_info either returns "not changed" or writes the old/default provider type back, which means the new provider types never persist on this live API.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done


if (s3_conf.cred_provider_type == CredProviderType::InstanceProfile) {
if (s3_conf.role_arn.empty()) {
return std::make_shared<CustomAwsCredentialsProviderChain>();

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This wires the new provider-type support only into the v2 branch. get_aws_credentials_provider() still dispatches to _get_aws_credentials_provider_v1() when aws_credentials_provider_version=v1, and that implementation below only honors INSTANCE_PROFILE for role-based configs. A vault persisted with role_arn + ENV/CONTAINER/WEB_IDENTITY/... will therefore stop using STSAssumeRoleCredentialsProvider entirely on a supported v1 deployment.

@hello-stephen

Copy link
Copy Markdown
Contributor

Cloud UT Coverage Report

Increment line coverage 29.27% (12/41) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 78.04% (1844/2363)
Line Coverage 64.73% (33002/50981)
Region Coverage 65.22% (16370/25099)
Branch Coverage 55.77% (8742/15676)

@hello-stephen

Copy link
Copy Markdown
Contributor

FE Regression Coverage Report

Increment line coverage 0.40% (1/250) 🎉
Increment coverage report
Complete coverage report

@gavinchou

Copy link
Copy Markdown
Contributor

Behavioral Change (Needs Attention)
_get_aws_credentials_provider_v2 behavior change (cloud/src/recycler/s3_accessor.cpp:351):
Old code only entered the role-ARN path when cred_provider_type == InstanceProfile:
if (s3_conf.cred_provider_type == CredProviderType::InstanceProfile) {
if (s3_conf.role_arn.empty()) {
return DefaultAWSCredentialsProviderChain; // fallback
}
// assume role with CustomAwsCredentialsProviderChain as STS client
}
return DefaultAWSCredentialsProviderChain; // fallback
New code enters role-ARN path for ANY cred_provider_type when role_arn is set:
if (!s3_conf.role_arn.empty()) {
// assume role with _create_credentials_provider(type) as STS client
}
return _create_credentials_provider(s3_conf.cred_provider_type);
This is intentional (the feature's purpose) but changes the credential resolution logic. For example, with role_arn set and cred_provider_type=Env, the STS client now uses EnvironmentAWSCredentialsProvider instead of the default chain.

Issues Found

  1. Validation removal may be too permissive (meta_service_resource.cpp:684, :1334):
    Old code rejected non-INSTANCE_PROFILE cred_provider_type with role_arn. Now any type is accepted. This is the feature intent, but consider: should SIMPLE (ak/sk) + role_arn be rejected as conflicting?
  2. Error message stale (meta_service_resource.cpp:689):
    Error says "s3 conf info err with role_arn, please check it" — now that any cred_provider_type is valid with role_arn, this message should be more specific about what's actually wrong.
  3. Missing BE unit tests: Only FE unit tests are added. The _create_credentials_provider function and the cred_provider_type resolution in S3Conf::from_obj_store_info should have BE tests.
  4. Release note says "None" but should be updated: This is a user-visible feature (new s3.credentials_provider_type configuration option). The release note should document the new capability.
  5. CredProviderType::Simple not handled in _create_credentials_provider: The switch doesn't have a Simple case. If someone sets cred_provider_type=SIMPLE without ak/sk (which would be unusual), it falls through to default → CustomAwsCredentialsProviderChain. This is probably fine but worth a comment.

@hello-stephen

Copy link
Copy Markdown
Contributor

BE UT Coverage Report

Increment line coverage 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 53.31% (20385/38237)
Line Coverage 36.86% (192052/521091)
Region Coverage 33.20% (149484/450243)
Branch Coverage 34.29% (65337/190566)

@hello-stephen

Copy link
Copy Markdown
Contributor

BE Regression && UT Coverage Report

Increment line coverage 100% (0/0) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 71.39% (26753/37476)
Line Coverage 53.75% (279329/519702)
Region Coverage 47.01% (214251/455740)
Branch Coverage 50.43% (97214/192788)

@wyxxxcat
wyxxxcat force-pushed the fe_parser_credential_type branch from 24f241c to 895964c Compare April 27, 2026 02:23
@wyxxxcat

Copy link
Copy Markdown
Collaborator Author

run buildall

@hello-stephen

Copy link
Copy Markdown
Contributor

FE UT Coverage Report

Increment line coverage 54.84% (17/31) 🎉
Increment coverage report
Complete coverage report

@hello-stephen

Copy link
Copy Markdown
Contributor

BE UT Coverage Report

Increment line coverage 0.00% (0/10) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 53.37% (20427/38271)
Line Coverage 36.92% (192549/521544)
Region Coverage 33.24% (149841/450759)
Branch Coverage 34.36% (65550/190784)

@hello-stephen

Copy link
Copy Markdown
Contributor

BE Regression && UT Coverage Report

Increment line coverage 0.00% (0/10) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 73.71% (27640/37496)
Line Coverage 57.50% (299167/520249)
Region Coverage 54.66% (248749/455085)
Branch Coverage 56.21% (107656/191514)

@hello-stephen

Copy link
Copy Markdown
Contributor

FE Regression Coverage Report

Increment line coverage 3.23% (1/31) 🎉
Increment coverage report
Complete coverage report

@hello-stephen

Copy link
Copy Markdown
Contributor

BE Regression && UT Coverage Report

Increment line coverage 0.00% (0/10) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 73.71% (27640/37496)
Line Coverage 57.50% (299167/520249)
Region Coverage 54.66% (248749/455085)
Branch Coverage 56.21% (107656/191514)

2 similar comments
@hello-stephen

Copy link
Copy Markdown
Contributor

BE Regression && UT Coverage Report

Increment line coverage 0.00% (0/10) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 73.71% (27640/37496)
Line Coverage 57.50% (299167/520249)
Region Coverage 54.66% (248749/455085)
Branch Coverage 56.21% (107656/191514)

@hello-stephen

Copy link
Copy Markdown
Contributor

BE Regression && UT Coverage Report

Increment line coverage 0.00% (0/10) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 73.71% (27640/37496)
Line Coverage 57.50% (299167/520249)
Region Coverage 54.66% (248749/455085)
Branch Coverage 56.21% (107656/191514)

gavinchou
gavinchou previously approved these changes May 7, 2026
@github-actions github-actions Bot added the approved Indicates a PR has been approved by one committer. label May 7, 2026
@github-actions

github-actions Bot commented May 7, 2026

Copy link
Copy Markdown
Contributor

PR approved by at least one committer and no changes requested.

CalvinKirs
CalvinKirs previously approved these changes May 7, 2026
@wyxxxcat
wyxxxcat force-pushed the fe_parser_credential_type branch from 272a1b6 to 276ba2d Compare May 11, 2026 02:45
@wyxxxcat

Copy link
Copy Markdown
Collaborator Author

run buildall

@hello-stephen

Copy link
Copy Markdown
Contributor
TPC-H: Total hot run time: 29899 ms
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 276ba2da9867bd3ef3025bbc09f33f0b2165e464, data reload: false

------ Round 1 ----------------------------------
orders	Doris	NULL	NULL	0	0	0	NULL	0	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	17630	3965	3961	3961
q2	q3	10808	891	610	610
q4	4716	469	351	351
q5	8224	1359	1141	1141
q6	345	176	139	139
q7	953	953	759	759
q8	11058	1404	1316	1316
q9	7507	5630	5384	5384
q10	6489	2095	1796	1796
q11	466	270	260	260
q12	688	429	301	301
q13	18209	3431	2759	2759
q14	300	286	260	260
q15	q16	892	869	792	792
q17	1007	980	787	787
q18	6578	5789	5592	5592
q19	1187	1461	1167	1167
q20	533	429	269	269
q21	4596	2330	1913	1913
q22	472	380	342	342
Total cold run time: 102658 ms
Total hot run time: 29899 ms

----- Round 2, with runtime_filter_mode=off -----
orders	Doris	NULL	NULL	150000000	42	6422171781	NULL	22778155	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	4716	4556	4583	4556
q2	q3	4678	4778	4184	4184
q4	2114	2155	1418	1418
q5	5030	5020	5308	5020
q6	203	163	137	137
q7	2074	2081	1675	1675
q8	3400	3143	3131	3131
q9	8399	8464	8476	8464
q10	4477	4468	4277	4277
q11	606	408	397	397
q12	682	744	536	536
q13	3252	3578	3009	3009
q14	312	302	276	276
q15	q16	751	794	673	673
q17	1350	1306	1238	1238
q18	7917	7142	7177	7142
q19	1176	1180	1074	1074
q20	2209	2194	1919	1919
q21	6080	5333	4784	4784
q22	523	471	403	403
Total cold run time: 59949 ms
Total hot run time: 54313 ms

@hello-stephen

Copy link
Copy Markdown
Contributor

FE UT Coverage Report

Increment line coverage 54.84% (17/31) 🎉
Increment coverage report
Complete coverage report

@hello-stephen

Copy link
Copy Markdown
Contributor
TPC-DS: Total hot run time: 170212 ms
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 276ba2da9867bd3ef3025bbc09f33f0b2165e464, data reload: false

query5	4340	647	520	520
query6	336	234	199	199
query7	4269	529	294	294
query8	329	229	220	220
query9	8835	4052	4026	4026
query10	454	342	304	304
query11	5800	2372	2198	2198
query12	191	137	135	135
query13	1276	616	444	444
query14	6583	5387	5114	5114
query14_1	4433	4385	4369	4369
query15	214	207	185	185
query16	1019	470	451	451
query17	1159	805	646	646
query18	2742	500	361	361
query19	225	216	177	177
query20	143	138	133	133
query21	216	140	127	127
query22	13656	13620	13343	13343
query23	17233	16404	16021	16021
query23_1	16213	16189	16203	16189
query24	7418	1780	1386	1386
query24_1	1368	1364	1358	1358
query25	571	513	465	465
query26	1350	339	187	187
query27	2637	608	353	353
query28	4432	1990	2007	1990
query29	997	667	539	539
query30	314	249	205	205
query31	1136	1073	950	950
query32	86	80	79	79
query33	533	373	300	300
query34	1165	1149	633	633
query35	784	796	688	688
query36	1335	1361	1151	1151
query37	160	108	99	99
query38	3254	3149	3040	3040
query39	932	927	880	880
query39_1	877	866	869	866
query40	234	156	137	137
query41	64	67	73	67
query42	112	111	110	110
query43	327	326	284	284
query44	
query45	214	202	196	196
query46	1059	1167	715	715
query47	2330	2280	2170	2170
query48	401	423	296	296
query49	637	538	430	430
query50	738	290	217	217
query51	4302	4225	4197	4197
query52	106	110	96	96
query53	265	277	206	206
query54	320	281	251	251
query55	91	91	85	85
query56	299	296	302	296
query57	1436	1390	1308	1308
query58	295	274	283	274
query59	1594	1691	1428	1428
query60	357	335	320	320
query61	197	151	157	151
query62	668	629	562	562
query63	249	207	207	207
query64	2356	813	656	656
query65	
query66	1703	518	394	394
query67	29939	29885	29813	29813
query68	
query69	455	336	309	309
query70	1033	1026	956	956
query71	323	276	267	267
query72	2994	2752	2489	2489
query73	821	775	437	437
query74	5095	4909	4739	4739
query75	2772	2698	2323	2323
query76	2302	1127	774	774
query77	411	427	355	355
query78	12992	13009	12428	12428
query79	1562	1007	725	725
query80	1297	581	502	502
query81	495	277	238	238
query82	1359	154	121	121
query83	356	281	249	249
query84	267	143	111	111
query85	937	526	471	471
query86	455	336	320	320
query87	3429	3370	3224	3224
query88	3592	2687	2662	2662
query89	448	383	337	337
query90	1824	176	186	176
query91	178	171	140	140
query92	82	81	69	69
query93	976	983	574	574
query94	662	364	310	310
query95	654	383	456	383
query96	1031	754	330	330
query97	2721	2688	2548	2548
query98	239	236	234	234
query99	1134	1101	977	977
Total cold run time: 255139 ms
Total hot run time: 170212 ms

@hello-stephen

Copy link
Copy Markdown
Contributor

BE UT Coverage Report

Increment line coverage 0.00% (0/10) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 53.57% (20654/38555)
Line Coverage 37.18% (194927/524209)
Region Coverage 33.52% (151992/453444)
Branch Coverage 34.55% (66286/191852)

@hello-stephen

Copy link
Copy Markdown
Contributor

BE Regression && UT Coverage Report

Increment line coverage 0.00% (0/10) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 72.00% (27186/37759)
Line Coverage 55.24% (288817/522836)
Region Coverage 52.25% (239212/457864)
Branch Coverage 53.60% (103229/192580)

@hello-stephen

Copy link
Copy Markdown
Contributor

FE Regression Coverage Report

Increment line coverage 0.46% (1/219) 🎉
Increment coverage report
Complete coverage report

@hello-stephen

Copy link
Copy Markdown
Contributor

BE Regression && UT Coverage Report

Increment line coverage 0.00% (0/10) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 72.00% (27186/37759)
Line Coverage 55.24% (288817/522836)
Region Coverage 52.25% (239212/457864)
Branch Coverage 53.60% (103229/192580)

@github-actions github-actions Bot added the approved Indicates a PR has been approved by one committer. label May 11, 2026
@github-actions

Copy link
Copy Markdown
Contributor

PR approved by at least one committer and no changes requested.

@hello-stephen

Copy link
Copy Markdown
Contributor

BE Regression && UT Coverage Report

Increment line coverage 0.00% (0/10) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 73.75% (27847/37759)
Line Coverage 57.57% (301006/522836)
Region Coverage 54.78% (250811/457864)
Branch Coverage 56.32% (108469/192580)

@hello-stephen

Copy link
Copy Markdown
Contributor

FE Regression Coverage Report

Increment line coverage 0.46% (1/219) 🎉
Increment coverage report
Complete coverage report

@hello-stephen

Copy link
Copy Markdown
Contributor

skip check_coverage

@hello-stephen

Copy link
Copy Markdown
Contributor

/review

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found one additional blocking issue in the BE storage-policy/resource-push path and left it inline. I did not duplicate the existing review threads; the already-known S3Properties provider propagation gaps and cloud recycler v1 gap remain covered by those threads.

Critical checkpoints:

  • Goal/test: The PR aims to propagate additional AWS credentials provider types through FE, thrift/proto, BE, and cloud recycler. The added FE unit test covers serialization for role_arn, but the BE v1 runtime path is still not covered and currently misbehaves for the newly decoded thrift values.
  • Scope: The implementation is mostly focused on provider-type propagation, but it introduces parallel FE/BE/cloud mappings that must stay consistent.
  • Concurrency/lifecycle: No new shared mutable state or lock-order changes found in the reviewed code. The provider objects follow existing S3 client/accessor lifecycles.
  • Config: Existing aws_credentials_provider_version remains relevant; the new values work differently between v1 and v2 paths. The inline issue is specifically a v1 behavior gap.
  • Compatibility/protocol: New thrift/proto enum values require all consumers to handle them consistently. BE decoding was added, but the decoded values are not honored by the v1 credential provider flow.
  • Parallel paths: FE, BE, cloud meta-service, and cloud recycler all have parallel provider handling. Existing review threads already cover cloud recycler v1 and FE serialization gaps; the new inline comment covers the distinct BE path.
  • Tests: I did not run tests in this automated review. Current tests do not exercise BE v1 credential-provider behavior for role_arn plus ENV/CONTAINER/WEB_IDENTITY.
  • Observability/data correctness/transactions: No new transaction or storage-version correctness concern found. No additional observability requirement beyond existing S3 credential failure paths.
  • User focus: No additional user-provided review focus was specified.

Comment thread be/src/util/s3_util.cpp
case TCredProviderType::INSTANCE_PROFILE:
return CredProviderType::InstanceProfile;
case TCredProviderType::ENV:
return CredProviderType::Env;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Decoding these new thrift values exposes a BE v1 credential path that still does not honor them for role-based configs. S3Properties.getS3TStorageParam() can now send role_arn + ENV/CONTAINER/WEB_IDENTITY/...; get_s3_client_conf() stores that type, but with aws_credentials_provider_version != v2, S3ClientFactory::_get_aws_credentials_provider_v1() only enters the assume-role branch for CredProviderType::InstanceProfile. For ENV, CONTAINER, or WEB_IDENTITY, it skips the role_arn entirely and falls through to anonymous credentials because AK/SK are empty. This is distinct from the existing recycler-v1 thread: this is the BE storage-policy/resource-push path enabled by the new thrift decoder. Please either reject non-INSTANCE_PROFILE role providers when v1 is active or make the BE v1 path assume the role using the selected base provider.

@hello-stephen
hello-stephen merged commit 533f02b into apache:master May 13, 2026
31 of 32 checks passed
github-actions Bot pushed a commit that referenced this pull request May 13, 2026
…62788)

### What problem does this PR solve?
Support configuring the AWS S3 credentials provider type for cloud
storage vaults and S3 storage parameters. This allows IAM role based
access to use providers other than instance profile, such as
environment, system
properties, web identity, container, default chain, and anonymous
credentials. The credential provider type is propagated through FE
properties, thrift/proto definitions, meta service storage vault
handling, and cloud
  recycler S3 accessor creation.

```
CREATE storage vault IF NOT EXISTS s3_vault_2
    PROPERTIES (
    "type"="S3",
    "s3.endpoint"="xxx",
    "s3.role_arn" = "xxx",
    "s3.region" = "us-west-1",
    "s3.root.path" = "xxx",
    "s3.bucket" = "xxx",
    "provider" = "S3",
    "use_path_style" = "false",
    "s3.credentials_provider_type" = "WEB_IDENTITY",
    "s3_validity_check" = "false"
);

```

```
curl "127.0.0.1:5678/MetaService/http/get_obj_store_info
```
```
{
    "id": "3",
    "name": "s3_vault_2",
    "obj_info": {
        "ctime": "1777011933",
        "mtime": "1777011933",
        "id": "3",
        "bucket": "xxx",
        "prefix": "wyx_test",
        "endpoint": "xxx",
        "region": "us-west-1",
        "provider": "S3",
        "external_endpoint": "",
        "sse_enabled": true,
        "use_path_style": false,
        "cred_provider_type": "WEB_IDENTITY",
        "role_arn": "xxx",
        "external_id": ""
    }
}
```
wyxxxcat added a commit to wyxxxcat/doris that referenced this pull request May 26, 2026
…pache#62788)

Support configuring the AWS S3 credentials provider type for cloud
storage vaults and S3 storage parameters. This allows IAM role based
access to use providers other than instance profile, such as
environment, system
properties, web identity, container, default chain, and anonymous
credentials. The credential provider type is propagated through FE
properties, thrift/proto definitions, meta service storage vault
handling, and cloud
  recycler S3 accessor creation.

```
CREATE storage vault IF NOT EXISTS s3_vault_2
    PROPERTIES (
    "type"="S3",
    "s3.endpoint"="xxx",
    "s3.role_arn" = "xxx",
    "s3.region" = "us-west-1",
    "s3.root.path" = "xxx",
    "s3.bucket" = "xxx",
    "provider" = "S3",
    "use_path_style" = "false",
    "s3.credentials_provider_type" = "WEB_IDENTITY",
    "s3_validity_check" = "false"
);

```

```
curl "127.0.0.1:5678/MetaService/http/get_obj_store_info
```
```
{
    "id": "3",
    "name": "s3_vault_2",
    "obj_info": {
        "ctime": "1777011933",
        "mtime": "1777011933",
        "id": "3",
        "bucket": "xxx",
        "prefix": "wyx_test",
        "endpoint": "xxx",
        "region": "us-west-1",
        "provider": "S3",
        "external_endpoint": "",
        "sse_enabled": true,
        "use_path_style": false,
        "cred_provider_type": "WEB_IDENTITY",
        "role_arn": "xxx",
        "external_id": ""
    }
}
```
yiguolei pushed a commit that referenced this pull request May 27, 2026
zhaorongsheng pushed a commit to zhaorongsheng/doris that referenced this pull request Jun 4, 2026
…pache#62788)

### What problem does this PR solve?
Support configuring the AWS S3 credentials provider type for cloud
storage vaults and S3 storage parameters. This allows IAM role based
access to use providers other than instance profile, such as
environment, system
properties, web identity, container, default chain, and anonymous
credentials. The credential provider type is propagated through FE
properties, thrift/proto definitions, meta service storage vault
handling, and cloud
  recycler S3 accessor creation.

```
CREATE storage vault IF NOT EXISTS s3_vault_2
    PROPERTIES (
    "type"="S3",
    "s3.endpoint"="xxx",
    "s3.role_arn" = "xxx",
    "s3.region" = "us-west-1",
    "s3.root.path" = "xxx",
    "s3.bucket" = "xxx",
    "provider" = "S3",
    "use_path_style" = "false",
    "s3.credentials_provider_type" = "WEB_IDENTITY",
    "s3_validity_check" = "false"
);

```

```
curl "127.0.0.1:5678/MetaService/http/get_obj_store_info
```
```
{
    "id": "3",
    "name": "s3_vault_2",
    "obj_info": {
        "ctime": "1777011933",
        "mtime": "1777011933",
        "id": "3",
        "bucket": "xxx",
        "prefix": "wyx_test",
        "endpoint": "xxx",
        "region": "us-west-1",
        "provider": "S3",
        "external_endpoint": "",
        "sse_enabled": true,
        "use_path_style": false,
        "cred_provider_type": "WEB_IDENTITY",
        "role_arn": "xxx",
        "external_id": ""
    }
}
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by one committer. dev/4.1.2-merged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants