Add support for AWS environmental credential chain for AWS storage providers #9439

snelson44 · 2025-05-19T15:57:54Z

Motivation and context

Currently there is no way to use the environmental credentials chain for aws cloud storages. You must either explicitly set your credentials or cvat will assume you are attempting to do anonymous access and signing requests will be disabled entirely. I added the ability for the credentials type to be specified and passed on to the aws provider. If anonymous is requested, then signing requests will still be disabled. If credentials are given, they will be used to access aws, if credentials are not explicitly given, boto3 will look for them in the environment.

How has this been tested?

Added rest api tests for adding a cloud storage. One test to show anonymous access was still supported, and a second test to show that the aws provider could pull creds from the environment

Checklist

I submit my changes into the develop branch
I have created a changelog fragment
I have updated the documentation accordingly
I have added tests to cover my changes
I have linked related issues (see GitHub docs)

License

I submit my code changes under the same MIT License that covers the project.
Feel free to contact the maintainers if that's a concern.

sn/make-aws-anon-access-explicit

Marishka17 · 2025-05-21T12:22:55Z

Hi @snelson44, thank you for the contribution.

There are a few concerns with this approach:

You haven't introduced a new credential type. This means it will not work when configuring cloud storage via UI (there are 2 credential types for AWS S3 compatible buckets: key/secret key pair that would not work without key/secret key on UI, anonymous access - env variables are not used by the newly introduced server logic).
There should be one more setting parameter that enables/disables this functionality on the server (by default it should be disabled). Since it is a common code we cannot allow by default the use of the shared env variables/AWS profile configured on the host.

…/add-env-cred-type

Sn/add env cred type

sonarqubecloud · 2025-05-21T21:26:49Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2025-06-24T20:09:43Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

8000

snelson44 · 2025-06-24T20:10:49Z

Hi @snelson44, thank you for the contribution.

There are a few concerns with this approach:

You haven't introduced a new credential type. This means it will not work when configuring cloud storage via UI (there are 2 credential types for AWS S3 compatible buckets: key/secret key pair that would not work without key/secret key on UI, anonymous access - env variables are not used by the newly introduced server logic).

There should be one more setting parameter that enables/disables this functionality on the server (by default it should be disabled). Since it is a common code we cannot allow by default the use of the shared env variables/AWS profile configured on the host.

Added credentials type and setting parameter @Marishka17

snelson44 and others added 7 commits April 24, 2025 09:58

sn/make-aws-anon-access-explicit

41334f5

small updates

4d9aab7

fmt

900564f

fmt

90bcee2

comments

a1a9703

make en 8000 v vars configurable

2db5e21

Merge pull request #1 from flywheel-io/sn/make-aws-anon-access-explicit

e69f460

sn/make-aws-anon-access-explicit

snelson44 marked this pull request as ready for review May 19, 2025 16:00

snelson44 requested review from azhavoro, zhiltsov-max and SpecLad as code owners May 19, 2025 16:00

snelson44 and others added 13 commits May 21, 2025 09:25

adding env creds type

51dc531

Merge remote-tracking branch 'upstream/develop' into develop

a39ac28

test name

365d532

Merge branch 'develop' of https://github.com/flywheel-io/cvat into sn…

de08161

…/add-env-cred-type

settings

a730e66

import change

ba9b590

fmt

c9ed145

lint

93cf896

isort

edb621d

add setting to django

55ebdcf

newline

e80d024

update schema

d5023d8

Merge pull request #2 from flywheel-io/sn/add-env-cred-type

829da9d

Sn/add env cred type

merge conflict

24e2fc8

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add support for AWS environmental credential chain for AWS storage providers #9439

Add support for AWS environmental credential chain for AWS storage providers #9439

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Add support for AWS environmental credential chain for AWS storage providers #9439

Are you sure you want to change the base?

Add support for AWS environmental credential chain for AWS storage providers #9439

Conversation

Motivation and context

How has this been tested?

Checklist

License

Uh oh!

Uh oh!

Quality Gate passed

Uh oh!

Quality Gate passed

Uh oh!

Uh oh!

Uh oh!

Uh oh!