Skip to content

Add sessionToken support for S3InputSource#18609

Merged
jtuglu1 merged 5 commits intoapache:masterfrom
jtuglu1:add-session-token-support-for-s3-input-source
Oct 9, 2025
Merged

Add sessionToken support for S3InputSource#18609
jtuglu1 merged 5 commits intoapache:masterfrom
jtuglu1:add-session-token-support-for-s3-input-source

Conversation

@jtuglu1
Copy link
Copy Markdown
Contributor

@jtuglu1 jtuglu1 commented Oct 8, 2025
edited
Loading

Description

Allows Druid to use an AWS_SESSION_TOKEN (and skip assuming a role to fetch a token) if provided in the spec. No explicit assumptions are made with the input (e.g. that adding sessionToken and assumeRoleAre are mutually exclusive).

This support falls in line with how other engines use things like external catalogs, etc. to vend temporary credentials to access S3, while leaving things like the exact ARN opaque to the caller.

Release note

Add sessionToken support for S3InputSource

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

@jtuglu1 jtuglu1 force-pushed the add-session-token-support-for-s3-input-source branch from 439dd50 to 78aa53d Compare October 9, 2025 00:05
@jtuglu1 jtuglu1 marked this pull request as ready for review October 9, 2025 00:10
@github-actions github-actions Bot added the Area - MSQ For multi stage queries - https://github.com/apache/druid/issues/12262 label Oct 9, 2025
@jtuglu1 jtuglu1 requested review from kfaraz and maytasm October 9, 2025 04:17
@jtuglu1 jtuglu1 added this to the 35.0.0 milestone Oct 9, 2025
kfaraz
kfaraz reviewed Oct 9, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@kfaraz kfaraz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, left some minor suggestions.

Comment thread ...core/s3-extensions/src/main/java/org/apache/druid/catalog/model/table/S3InputSourceDefn.java Outdated
Comment thread ...ons-core/s3-extensions/src/main/java/org/apache/druid/data/input/s3/S3InputSourceConfig.java Outdated
Comment thread ...ons-core/s3-extensions/src/main/java/org/apache/druid/data/input/s3/S3InputSourceConfig.java Outdated
Comment thread docs/ingestion/input-sources.md Outdated
Comment thread docs/ingestion/input-sources.md Outdated
Comment thread extensions-core/s3-extensions/src/main/java/org/apache/druid/data/input/s3/S3InputSource.java Outdated
Comment thread website/.spelling
@jtuglu1 jtuglu1 requested a review from kfaraz October 9, 2025 05:17
kfaraz
kfaraz approved these changes Oct 9, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@kfaraz kfaraz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread website/.spelling
@jtuglu1 jtuglu1 force-pushed the add-session-token-support-for-s3-input-source branch from 618ea23 to dbba27f Compare October 9, 2025 07:36
@jtuglu1 jtuglu1 force-pushed the add-session-token-support-for-s3-input-source branch from dbba27f to 5697cfa Compare October 9, 2025 18:31
@jtuglu1 jtuglu1 merged commit d1fcff8 into apache:master Oct 9, 2025
1 check passed
cecemei pushed a commit to cecemei/druid that referenced this pull request Oct 16, 2025
@jtuglu1 @cecemei
Add sessionToken support for S3InputSource (apache#18609)
7ed7cf9 
Allows Druid to use an AWS_SESSION_TOKEN (and skip assuming a role to fetch a token) if provided in the spec. No explicit assumptions are made with the input (e.g. that adding sessionToken and assumeRoleAre are mutually exclusive).

This support falls in line with how other engines use things like external catalogs, etc. to vend temporary credentials to access S3, while leaving things like the exact ARN opaque to the caller.
@cecemei cecemei mentioned this pull request Oct 16, 2025
Merged
cecemei pushed a commit that referenced this pull request Oct 17, 2025
@jtuglu1 @cecemei
Add sessionToken support for S3InputSource (#18609)
7b0ed73 
Allows Druid to use an AWS_SESSION_TOKEN (and skip assuming a role to fetch a token) if provided in the spec. No explicit assumptions are made with the input (e.g. that adding sessionToken and assumeRoleAre are mutually exclusive).

This support falls in line with how other engines use things like external catalogs, etc. to vend temporary credentials to access S3, while leaving things like the exact ARN opaque to the caller.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kfaraz kfaraz kfaraz approved these changes

@maytasm maytasm maytasm approved these changes

Assignees

No one assigned

Labels

Area - Batch Ingestion Area - Documentation Area - Ingestion Area - MSQ For multi stage queries - https://github.com/apache/druid/issues/12262

Projects

None yet

Milestone

35.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@jtuglu1 @kfaraz @maytasm