fix(deps): pin aws-creds to fork with EKS Pod Identity support#1419
Merged
Conversation
The relay pod on bb-block authenticates to S3 via EKS Pod Identity (AWS_CONTAINER_CREDENTIALS_FULL_URI + AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE), but aws-creds 0.39.1 (pulled transitively via rust-s3 0.37.2) only reads the ECS RELATIVE_URI form and sends no Authorization header. Result: "failed to initialize media storage: Could not get valid credentials", blocking both S3 media and git CAS storage. Pin aws-creds to tlongwell-block/rust-s3@c9fce362, which adopts the aws-creds portion of durch/rust-s3#449: FULL_URI fallback, bearer token from the token file/env, Authorization header, and a loopback allowlist (169.254.170.23 / [fd00:ec2::23]) that only sends the token to the documented Pod Identity agent addresses. The fix is refresh-safe — it sets expiration from the response, so rust-s3's auto-refresh re-fetches on token expiry rather than silently 403ing after ~6h. Scope is minimal: only aws-creds is redirected; rust-s3 stays on crates.io 0.37.2, and no S3 call sites or the git CAS change. Temporary pin pending upstream merge of #449. Verified: buzz-media (42 passed) and buzz-relay (429 passed, incl. the git-CAS unit tests) full suites green against the fork. Live S3/MinIO probes remain env-gated and are validated on-cluster post-deploy. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #1417 (Redis TLS) — the second blocker on the bb-block relay deploy.
Problem
After the Redis TLS fix, the relay pod on bb-block failed with:
The pod authenticates to S3 via EKS Pod Identity (
AWS_CONTAINER_CREDENTIALS_FULL_URI+AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE). Butaws-creds0.39.1 — pulled transitively viarust-s30.37.2 — only reads the ECSRELATIVE_URIform, hardcodes the ECS endpoint, and sends noAuthorizationheader. So it never gets creds for either S3 media or git CAS storage. Wren independently confirmed buzz is correctly onboarded to Pod Identity (cluster app-service standard), so the fix belongs in the creds layer, not infra.Fix
Pin
aws-credstotlongwell-block/rust-s3@c9fce362, which adopts the aws-creds portion of upstreamdurch/rust-s3#449:AWS_CONTAINER_CREDENTIALS_FULL_URIwhenRELATIVE_URIis absent.AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE(thenAWS_CONTAINER_AUTHORIZATION_TOKEN) and sends it asAuthorization.expirationfrom the response, so rust-s3's auto-refresh()re-fetches on token expiry rather than silently 403ing after ~6h.169.254.170.23/[fd00:ec2::23]) over http/https; token-file read fails loud (no silent env fallback).Scope (minimal)
[patch.crates-io]redirects onlyaws-creds.rust-s3stays on crates.io 0.37.2; no S3 call sites and no git CAS logic change.Cargo.lockdelta is exactly one line (aws-creds source).Human review
This adopts an upstream PR that had only bot review. Wren + I reviewed the full diff together (refresh safety, the allowlist, error mapping) — see thread. We are the human review it lacked.
Verification
cargo build -p buzz-media -p buzz-relay— clean against the fork.cargo test -p buzz-media— 42 passed (MinIO round-trip ignored, needs live MinIO).cargo test -p buzz-relay— 429 passed, 0 failed, incl. the git-CAS unit tests (2 live-S3 probes env-gated behindBUZZ_GIT_S3_PROBE=1).