From ca6cca85490690101b3ee4c7815c3d2b71d2c2f3 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Wed, 3 Jun 2026 13:51:53 +1000 Subject: [PATCH 1/2] UID2-4739: use DefaultCredentialsProvider for S3 clients in CloudStorageS3 Co-Authored-By: Claude Sonnet 4.6 --- .../java/com/uid2/shared/cloud/CloudStorageS3.java | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/src/main/java/com/uid2/shared/cloud/CloudStorageS3.java b/src/main/java/com/uid2/shared/cloud/CloudStorageS3.java index 55ae8cf2..0abd8bce 100644 --- a/src/main/java/com/uid2/shared/cloud/CloudStorageS3.java +++ b/src/main/java/com/uid2/shared/cloud/CloudStorageS3.java @@ -2,8 +2,8 @@ import software.amazon.awssdk.core.exception.SdkClientException; import software.amazon.awssdk.auth.credentials.AwsBasicCredentials; +import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider; -import software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3.S3Client; import software.amazon.awssdk.services.s3.model.*; @@ -74,15 +74,9 @@ public CloudStorageS3(String accessKeyId, String secretAccessKey, String region, } public CloudStorageS3(String region, String bucket, String s3Endpoint) { - // In theory `new InstanceProfileCredentialsProvider()` or even omitting credentials provider should work, - // but for some unknown reason it doesn't. The credential it provides look realistic, but are not valid. - // After a lot of experimentation and help of Abu Abraham and Isaac Wilson the only working solution we've - // found was to explicitly extract env vars populated by the service account from the role and to - // manually set it on the credentials provider. - WebIdentityTokenFileCredentialsProvider credentialsProvider = WebIdentityTokenFileCredentialsProvider.builder() - .roleArn(System.getenv("AWS_ROLE_ARN")) - .webIdentityTokenFile(Paths.get(System.getenv("AWS_WEB_IDENTITY_TOKEN_FILE"))) - .build(); + // DefaultCredentialsProvider supports IRSA (WebIdentityTokenFile), EKS Pod Identity, + // instance profile, and all other standard AWS credential mechanisms automatically. + DefaultCredentialsProvider credentialsProvider = DefaultCredentialsProvider.create(); if (s3Endpoint.isEmpty()) { this.s3 = S3Client.builder() From bfb5d2322d7708e7ed9f50c6070b61f009f7c80a Mon Sep 17 00:00:00 2001 From: sophia-chen-ttd <152837545+sophia-chen-ttd@users.noreply.github.com> Date: Fri, 5 Jun 2026 15:13:10 +1000 Subject: [PATCH 2/2] UID2-4739: add regression test for CloudStorageS3 constructor NPE fix --- .../com/uid2/shared/cloud/CloudStorageS3Test.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 src/test/java/com/uid2/shared/cloud/CloudStorageS3Test.java diff --git a/src/test/java/com/uid2/shared/cloud/CloudStorageS3Test.java b/src/test/java/com/uid2/shared/cloud/CloudStorageS3Test.java new file mode 100644 index 00000000..a9145de9 --- /dev/null +++ b/src/test/java/com/uid2/shared/cloud/CloudStorageS3Test.java @@ -0,0 +1,15 @@ +package com.uid2.shared.cloud; + +import org.junit.jupiter.api.Test; + +import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; + +public class CloudStorageS3Test { + + @Test + void constructorDoesNotNpeWhenCredentialEnvVarsAbsent() { + // Old WebIdentityTokenFileCredentialsProvider called Paths.get(System.getenv("AWS_WEB_IDENTITY_TOKEN_FILE")), + // which NPE'd when the env var was unset. DefaultCredentialsProvider must not throw at construction time. + assertDoesNotThrow(() -> new CloudStorageS3("us-east-1", "test-bucket", "http://localhost:9999")); + } +}