Role-based S3 access (AssumeRole)

[zvonand]

Also includes #688

https://gist.github.com/zvonand/bb958ddc11bdcc788e0c13b363b56254

If extra_credentials(role_arn=...) is provided, temporary credentials are requested from AWS STS and used to access S3.

It is now possible to use EC2 metadata to perform AssumeRole. So, no need to explicitly specify AWS credentials

Changelog category (leave one):

• New Feature

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Added AWS IAM role assumption in s3 table function using AWS EC2 credentials.

Documentation entry for user-facing changes

...

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

[ilejn]

Please, explain how does hardcoded maxRetries correspond with configuration.s3_retry_attempts ?

It existed before your change (e.g. in AwsAuthSTSAssumeRoleWebIdentityCredentialsProvider ctor) , but the question remains.

[ilejn]

I am a complete stranger in s3 secure world, but is my understanding correct that there is no audit facilities?
The credential machine is not trivial after AssumeRole is introduced, so may be we should start from making log

LOG_TRACE(logger, "Successfully assumed role using metadata credentials");

a bit more verbose and increase its severity?

[ilejn]

Overall LGTM.

[zvonand]

a bit more verbose and increase its severity?

Well, all other similar logs are no higher than trace. There can be thousands of those lines per second, and they are basically meaningless, aren't they?

[zvonand]

Please, explain how does hardcoded maxRetries correspond with configuration.s3_retry_attempts ?

As far as I understand, this "3 retries" policy is specific for those retryable errors listed above (and those are errors in communicating with STS, which is in general a standalone thing not related to S3), this s3_retry_attempts -- it is a general setting for S3.

I took this from existing code (AwsAuthSTSAssumeRoleWebIdentityCredentialsProvider), but now I think about it and I do not know why they decided to set this to 3....

[ilejn]

There can be thousands of those lines per second,

Sounds a bit worrying.
Does it mean that we are requesting thousands of tokens per a second?

and they are basically meaningless, aren't they?

They are meaningless if there is a way (e.g. using AWS logs) to clarify how exactly access was obtained.

Anyway, audit should be out of the scope of this PR.

[zvonand]

Does it mean that we are requesting thousands of tokens per a second?

No, my bad -- of course, they are reused after obtaining them.

[ilejn]

We need some doc because the change is visible for users.

[zvonand]

I have some: https://gist.github.com/zvonand/bb958ddc11bdcc788e0c13b363b56254

I did not include it in the PR -- anyway, we are not using those in-repo docs, are we? Or better to also include it in "standard" docs? @ilejn

[ilejn]

I have some: https://gist.github.com/zvonand/bb958ddc11bdcc788e0c13b363b56254
I did not include it in the PR -- anyway, we are not using those in-repo docs, are we? Or better to also include it in "standard" docs? @ilejn

It is clear that

1. the text is great
2. stylistically it does not match CH docs, it is more like a blog post.

So, just adding the link to the description of the PR should be fine.
BTW, if you had done it before review it were a bit easier.

If you can find a proper place in docs, e.g. in engines/table-engines/integrations/s3.md, may be it worth writing something very brief as well.

[ilejn]

Is not DB::S3 a current namespace?

[zvonand]

Indeed it is. But I guess it does not actually matter here -- it is done similarly in other places. Maybe some ambiguity can arise without explicitly specifying this...

The base branch was changed.

[github-actions]

Workflow [PR], commit [40775fb]