You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Credential process is a flexible solution for providing custom authentication mechanisms for object store. It is described as a part of the AWS SDK documentation and implementing it would allow more complex use cases to be fully supported by the current setup, without adding particular complexity.
How does it work?
When user decides to use the credential process, when a client needs credentials it invokes the process, which replies with a defined schema like so:
{
"Version": 1,
"AccessKeyId": "an AWS access key",
"SecretAccessKey": "your AWS secret access key",
"SessionToken": "the AWS session token for temporary credentials",
"Expiration": "RFC3339 timestamp for when the credentials expire"
}
The client knows when the expiration will occur, and will re-invoke the process when required.
What can we do?
We can then extend the AmazonS3Builder to support this use case via an environment variable
The text was updated successfully, but these errors were encountered:
For additional context see #5143. Copying some of the info here:
I think the usecase this feature would support is
User uses object_store indirectly via polars
polars does not provide any way to modify / configure s3 connections at runtime
Since the users don't control the pola.rs source or distribution, they can not use the existing object_store CredentialProvider trait.
The proposal on this ticket is to add an mechanism that can call out to an external program / process to get credentials. While less efficient this would allow someone to plug in whatever authentication mechanism they wanted without having to change the source code
@tustvold notes that we need to ensure this type of mechanism does not compromise system security (e.g. perhaps it has to be enabled by deafult
Credential process is a flexible solution for providing custom authentication mechanisms for object store. It is described as a part of the AWS SDK documentation and implementing it would allow more complex use cases to be fully supported by the current setup, without adding particular complexity.
How does it work?
When user decides to use the credential process, when a client needs credentials it invokes the process, which replies with a defined schema like so:
The client knows when the expiration will occur, and will re-invoke the process when required.
What can we do?
We can then extend the AmazonS3Builder to support this use case via an environment variable
The text was updated successfully, but these errors were encountered: