[match] feat(s3_storage): add support for AWS STS credentials#22139
Conversation
|
Correct me if I'm wrong, but the failing CircleCI tests seems completely unrelated to this PR. |
|
@ainame @rogerluan Hi! 👋 I noticed you've both been active recently (reviewing/merging PRs), and I was hoping one of you might help bring this PR back to life. If there's anything I can do to improve the chances of this getting merged, please let me know. |
There was a problem hiding this comment.
Pull request overview
Adds AWS STS (session token) support to match S3 storage so users can authenticate with temporary credentials (access key + secret + session token), in addition to long-lived credentials.
Changes:
- Adds
s3_session_tokenas amatchoption/environment variable (MATCH_S3_SESSION_TOKEN). - Plumbs
s3_session_tokenthrough Match’s S3 storage backend intoFastlane::Helper::S3ClientHelper. - Updates/extends unit tests for S3 client helper behavior.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| match/spec/storage/s3_storage_spec.rb | Updates S3Storage spec subject initialization to include the new s3_session_token kwarg. |
| match/lib/match/storage/s3_storage.rb | Passes s3_session_token into S3ClientHelper and wires it through configure/initialize. |
| match/lib/match/storage.rb | Includes s3_session_token in the params forwarded to the S3 backend. |
| match/lib/match/options.rb | Adds new config option :s3_session_token with env var MATCH_S3_SESSION_TOKEN. |
| fastlane/spec/helper/s3_client_helper_spec.rb | Adds a new test case for providing a session token. |
| fastlane/lib/fastlane/helper/s3_client_helper.rb | Extends helper to accept/store session_token and pass it into Aws::Credentials. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
|
It looks simple enough, I asked Copilot to peek since I was curious how the AWS SDK handled if we sent an empty string of the session token, maybe that would fail as a priority even if access/secret was passed. |
…entials constructor Co-authored-by: Copilot Autofix powered by AI <[email protected]>
|
@iBotPeaches thank you for having a look at this - I appreciate it a lot :) I've added a comment to the first Copilot suggestion and committed the suggested test. Let me know what you would prefer doing from here! |
There was a problem hiding this comment.
Hey @monholm 👋
Thank you for your contribution to fastlane and congrats on getting this pull request merged 🎉
The code change now lives in the master branch, however it wasn't released to RubyGems yet.
We usually ship about once a month, and your PR will be included in the next one.
Please let us know if this change requires an immediate release by adding a comment here 👍
We'll notify you once we shipped a new release with your changes 🚀"
There was a problem hiding this comment.
Congratulations! 🎉 This was released as part of fastlane 2.233.0 🚀
🔑
Checklist
bundle exec rspecfrom the root directory to see all new and existing tests passbundle exec rubocop -ato ensure the code style is validci/circlecibuilds in the "All checks have passed" section of my PR (connect CircleCI to GitHub if not)Motivation and Context
Using temporary short-lived credentials is considered best practice. The current implementation of
s3_storagedoesn't allow passingsession_token, meaning only long-term credentials are supported.Description
Added
session_tokento thes3_client_helperandmatchoptions.Added unit test case.
Tested by running
matchwith long-term credentials (without passingsession_token) and temporary credentials (includingsession_token).Testing Steps
Run
matchwithstorage_mode: 's3'ands3_session_token, e.g.:aws-actions/configure-aws-credentials can be used to obtain temporary credentials in a GitHub Actions runner.