feat(s3): make S3 credentials optional to support default AWS credential chain#1749
Merged
gaius-qi merged 2 commits intodragonflyoss:mainfrom Mar 30, 2026
Merged
Conversation
YQ-Wang
requested review from
BraveY,
CooooolFrog,
fcgxz2003,
gaius-qi,
xujihui1985 and
yyzai384
YQ-Wang
force-pushed
the
feat/s3-optional-credentials
branch
from
ec7593b to
6906b45
Compare
…d loaders When access_key_id and access_key_secret are omitted, OpenDAL falls back to its configured credential loaders for the selected endpoint. This preserves task identity while letting nodes use their own IAM role without requiring explicit static credentials. Region defaults to us-east-1 when omitted; OpenDAL follows S3 301 redirects for buckets in other regions. Partial credentials are still rejected: if one of access_key_id or access_key_secret is provided, the other must also be present. Session tokens require both access key fields. CLI help text across dfget, dfstore export, and dfstore import is now consistent and accurately describes the optional behavior. Tests now verify both the default-region path and request-level S3 stat behavior without depending on ambient AWS credentials in CI. Made-with: Cursor
YQ-Wang
force-pushed
the
feat/s3-optional-credentials
branch
from
6906b45 to
48c2a71
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1749 +/- ##
==========================================
- Coverage 46.82% 46.63% -0.19%
==========================================
Files 87 87
Lines 24881 24807 -74
==========================================
- Hits 11650 11569 -81
- Misses 13231 13238 +7
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR updates the S3 object storage backend configuration to allow omitting explicit credentials so OpenDAL can use the default AWS credential chain (env/IMDS/IRSA/etc.), aligning dfget S3 downloads with AWS-hosted runtime expectations.
Changes:
- Made S3
access_key_id,access_key_secret, andregionoptional in the backend, defaulting region tous-east-1when omitted. - Added validation to reject partial explicit credential configurations and to require an explicit key pair when
session_tokenis provided. - Updated CLI help text in
dfgetanddfstoreimport/export to document the new optional behavior and fallback semantics; expanded backend unit tests accordingly.
Reviewed changes
Copilot reviewed 1 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
dragonfly-client-backend/src/object_storage.rs |
Implements optional S3 credentials + validation rules; defaults region; updates/extends tests (including a wiremock stat test). |
dragonfly-client/src/bin/dfget/main.rs |
Updates CLI examples and help text to describe explicit vs default-chain behavior. |
dragonfly-client/src/bin/dfstore/export.rs |
Updates CLI help text for storage region/endpoint/credentials/session token. |
dragonfly-client/src/bin/dfstore/import.rs |
Updates CLI help text for storage region/endpoint/credentials/session token. |
Signed-off-by: Gaius <gaius.qi@gmail.com>
hhhhsdxxxx
approved these changes
Mar 30, 2026
EvanCley
reviewed
Mar 30, 2026
Member
EvanCley
left a comment
EvanCley
left a comment
There was a problem hiding this comment.
s3 will not verify param integrity when using its credential chain, maybe orther object storage should follow next step?
yxxhero
approved these changes
Mar 30, 2026
jonakeys
pushed a commit
to jonakeys/dragonfly-client
that referenced
this pull request
Mar 30, 2026
…ial chain (dragonflyoss#1749) * feat(s3): make S3 credentials optional to support OpenDAL's configured loaders When access_key_id and access_key_secret are omitted, OpenDAL falls back to its configured credential loaders for the selected endpoint. This preserves task identity while letting nodes use their own IAM role without requiring explicit static credentials. Region defaults to us-east-1 when omitted; OpenDAL follows S3 301 redirects for buckets in other regions. Partial credentials are still rejected: if one of access_key_id or access_key_secret is provided, the other must also be present. Session tokens require both access key fields. CLI help text across dfget, dfstore export, and dfstore import is now consistent and accurately describes the optional behavior. Tests now verify both the default-region path and request-level S3 stat behavior without depending on ambient AWS credentials in CI. Made-with: Cursor * feat: add env var support for CLI args, remove S3 cred validation Signed-off-by: Gaius <gaius.qi@gmail.com> --------- Signed-off-by: Gaius <gaius.qi@gmail.com> Co-authored-by: Gaius <gaius.qi@gmail.com> Signed-off-by: Jonathan van der Steege <jonathan@jonakeys.nl>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
access_key_id,access_key_secret, andregionfields optional in the objectstorage backend. When omitted, OpenDAL falls back to the default AWS credential chain
(environment variables, IMDS, IRSA, etc.), enabling nodes to use their own IAM role without
requiring explicit static credentials.
access_key_idoraccess_key_secretis provided, the other must also be present;session_tokenrequiresboth access key fields.
dfget,dfstore export, anddfstore importto documentthe new optional behavior and default credential chain fallback.
Test plan
object_storage.rsupdated to cover new valid configurations (emptyconfig, endpoint-only, region-only, explicit key pair) and updated error cases (partial
credentials, session token without key pair)
This PR resolves #1750