STS roleArn: enable 3rd party STS services#3619
Merged
snazy merged 2 commits intoapache:mainfrom Feb 3, 2026
Merged
Conversation
Certain non-AWS STS service implementations use role ARNs that look quite different from AWS ones. This change shall enable those STS implementations. Example role ARNs that currently fail: * `urn:ecs:sts::s3:assumed-role/s3assumeRole/user1-105-temp` * `urn:sgws:identity::12345:group/foo-bar-abcdef` Related issue apache#2743
snazy
force-pushed
the
sts-role-arn-unrestrict
branch
from
d1b8ffa to
fac8298
Compare
adutra
previously approved these changes
Jan 30, 2026
github-project-automation
bot
moved this from PRs In Progress
to Ready to merge
in Basic Kanban Board
dimas-b
approved these changes
Jan 30, 2026
Contributor
|
The AWS pattern does not appear to require even the |
Member
Author
Not strictly necessary in this change though. We have these partition + accountId extractions, which could yield |
dimas-b
previously approved these changes
Jan 30, 2026
MonkeyCanCode
previously approved these changes
Jan 30, 2026
Contributor
|
This will help us to do assume role on rustfs/minio as well. Wondering if we should add integration testing for this when using minio for the existed test cases? |
singhpk234
reviewed
Feb 1, 2026
Contributor
singhpk234
left a comment
singhpk234
left a comment
There was a problem hiding this comment.
Change looks reasonable to me, thanks @snazy !
|
|
||
| ### Fixes | ||
|
|
||
| - Enable non-AWS STS role ARNs |
Contributor
There was a problem hiding this comment.
minor : worth mentioning ECS as an example
| Arguments.of("arn:aws:iam::012345678901:role/jdoe", "012345678901", "aws"), | ||
| Arguments.of("arn:aws-us-gov:iam::012345678901:role/jdoe", "012345678901", "aws-us-gov"), | ||
| Arguments.of("arn:aws-cn:iam::012345678901:role/jdoe", "012345678901", "aws-cn"), | ||
| Arguments.of("urn:ecs:sts::s3:assumed-role/s3assumeRole/user1-105-temp", "s3", "ecs"), |
Contributor
There was a problem hiding this comment.
I didn't fully understand this example, expected account id is s3 ? can you please elaborate and add a code comment
snazy
dismissed stale reviews from MonkeyCanCode, dimas-b, and adutra
via
7e337fd
Member
Author
|
Add comment + moved AWS/KMS specific usage of 'account id' from an ARN to where it is used (only for KMS) |
dimas-b
approved these changes
Feb 2, 2026
Contributor
|
@MonkeyCanCode : AssumeRole for MinIO is already covered by |
singhpk234
approved these changes
Feb 2, 2026
Contributor
singhpk234
left a comment
singhpk234
left a comment
There was a problem hiding this comment.
LGTM, thanks @snazy !
MonkeyCanCode
approved these changes
Feb 3, 2026
github-project-automation
bot
moved this from Ready to merge
to Done
in Basic Kanban Board
sungwy
pushed a commit
to sungwy/polaris
that referenced
this pull request
Feb 7, 2026
Certain non-AWS STS service implementations use role ARNs that look quite different from AWS ones. This change shall enable those STS implementations. Example role ARNs that currently fail: * `urn:ecs:sts::s3:assumed-role/s3assumeRole/user1-105-temp` * `urn:sgws:identity::12345:group/foo-bar-abcdef` Related issue apache#2743
snazy
added a commit
to snazy/polaris
that referenced
this pull request
Feb 11, 2026
Dremio pre-OSS-merge fix for apache#3619
snazy
added a commit
to snazy/polaris
that referenced
this pull request
Feb 11, 2026
* fix(site): Bump the binary distribution version. (apache#3624) Co-authored-by: ChristopherQu <[email protected]> * chore(deps): update actions/stale digest to dcd2b94 (apache#3643) * security(getting-started): enforce stronger postgres password and restrict database access (apache#3570) * security(getting-started): enforce strong postgres passwords and restrict database access - Add POSTGRES_PASSWORD environment variable to specify the Postgres database password. - Add validation to reject weak default "postgres" password. - Generate random 16-character password if POSTGRES_PASSWORD is not provided. - Replace all hardcoded "postgres" password references with $POSTGRES_PASSWORD variable. - Restrict Azure PostgreSQL access to VM's public IP using `--public-access` flag. This aligns security posture across AWS (VPC-only), Azure (IP-restricted), and GCP (authorized-networks) - Update documentation site to describe the POSTGRES_PASSWORD environment variable. * OpenAPI specs: update README with detailed API specifications (apache#3629) * CI: simplify `ci-incr-build-cache-save` action usage (apache#3626) * CI: simplify upload-artifacts call + only on failure (apache#3627) * CI: simplify java-setup action usage (apache#3628) * STS roleArn: enable 3rd party STS services (apache#3619) Certain non-AWS STS service implementations use role ARNs that look quite different from AWS ones. This change shall enable those STS implementations. Example role ARNs that currently fail: * `urn:ecs:sts::s3:assumed-role/s3assumeRole/user1-105-temp` * `urn:sgws:identity::12345:group/foo-bar-abcdef` Related issue apache#2743 * Last merged commit 29ccdd1 --------- Co-authored-by: HJ Q. <[email protected]> Co-authored-by: ChristopherQu <[email protected]> Co-authored-by: Mend Renovate <[email protected]> Co-authored-by: Pierre Laporte <[email protected]> Co-authored-by: Alexandre Dutra <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Certain non-AWS STS service implementations use role ARNs that look quite different from AWS ones. This change shall enable those STS implementations.
Example role ARNs that currently fail:
urn:ecs:sts::s3:assumed-role/s3assumeRole/user1-105-tempurn:sgws:identity::12345:group/foo-bar-abcdefRelated issue #2743