You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@beam.apache.org by "mokamoka03210120 (via GitHub)" <gi...@apache.org> on 2023/04/13 12:39:17 UTC

[GitHub] [beam] mokamoka03210120 commented on a diff in pull request #26098: Support Assume-Role with web identity

mokamoka03210120 commented on code in PR #26098:
URL: https://github.com/apache/beam/pull/26098#discussion_r1165462611


##########
sdks/java/io/amazon-web-services2/src/main/java/org/apache/beam/sdk/io/aws2/options/AwsModule.java:
##########
@@ -175,6 +177,14 @@ public AwsCredentialsProvider deserializeWithType(
             .refreshRequest(jsonParser.getCodec().treeToValue(json, clazz).build())
             .stsClient(StsClient.create())
             .build();
+      } else if (typeName.equals(
+          StsAssumeRoleWithWebIdentityCredentialsProvider.class.getSimpleName())) {
+        Class<? extends AssumeRoleWithWebIdentityRequest.Builder> clazz =
+            AssumeRoleWithWebIdentityRequest.serializableBuilderClass();
+        return StsAssumeRoleWithWebIdentityCredentialsProvider.builder()
+            .refreshRequest(jsonParser.getCodec().treeToValue(json, clazz).build())
+            .stsClient(StsClient.create())

Review Comment:
   `AssumeRoleWithWebIdentity` does not need any credentials except id token essentially. But `StsClient` requires credentials due to the design of AWS SDK. 
   ```
   .stsClient(StsClient.builder()
                       .credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create("key", "secret")))
                       .build())
   ```
   This resolves the problem roughly. Is there any other way?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org