Skip to content

Add s3 access grants feature#157

Open
alisoleimani wants to merge 5 commits into
duckdb:mainfrom
alisoleimani:main
Open

Add s3 access grants feature#157
alisoleimani wants to merge 5 commits into
duckdb:mainfrom
alisoleimani:main

Conversation

@alisoleimani

Copy link
Copy Markdown

S3 access grants(https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html) is a solution to control access to s3 objects at scale. It is used by some big companies to control access to s3 objects.
We need this feature to be able to use our data lake.

@romangershgorin romangershgorin mentioned this pull request Dec 11, 2025
@romangershgorin

Copy link
Copy Markdown

@Mytherin sorry to tag you directly, but as an active contributor to this repository, could you please help with review of this MR?

@guillesd

Copy link
Copy Markdown
Contributor

@alisoleimani could you provide an example of how this would be used?

@ivanovro

ivanovro commented Jan 29, 2026

Copy link
Copy Markdown

Thanks for the followup @guillesd!

@alisoleimani could you provide an example of how this would be used?

As we’re (@romangershgorin & @alisoleimani) part of the same organisation and share an interest in making this capability available, I can add some context on the use cases behind it.

Standard AWS IAM policies have practical limits on the number of statements that can be attached to a role. In large organisations, where access is managed at a fine granularity (for example, per bucket prefix or even per table mapped to S3 paths), these limits quickly become a bottleneck for scalable data access management.

S3 Access Grants address this by providing short-lived, vended credentials that are dynamically issued for specific bucket prefixes. This allows access to be managed centrally and independently of IAM role definitions, avoiding the need to constantly update or expand IAM policies as access requirements evolve.

@romangershgorin

romangershgorin commented Feb 2, 2026

Copy link
Copy Markdown

@alisoleimani should it be also added here to allow enabling access grants for secret? I had to add it here in duckdb-aws extension also, to allow usage like this

CREATE SECRET secret (
        TYPE s3,
        PROVIDER credential_chain,
        CHAIN process,
        S3_ACCESS_GRANTS_ENABLED true
);

@alisoleimani

alisoleimani commented Feb 2, 2026

Copy link
Copy Markdown
Author

@guillesd Roman already described the use case.

@romangershgorin I rebased the code to the latest main so it must be buildable now.

To use this feature you first need to enable it, either from attributes or environment var.

SET s3_access_grants_enabled=1;
export DUCKDB_S3_ACCESS_GRANTS_ENABLED=1

Now for every read/write to S3, we first check if there is a valid s3 access grant fo that s3 prefix using your identity or not, if your identity has access to that prefix using access grant we update the credentials to what access grants returns, otherwise we use your current credentials.

The core idea is to have the same functionality as https://github.com/aws/boto3-s3-access-grants-plugin

@alisoleimani

Copy link
Copy Markdown
Author

example from our datalake:
Screenshot 2026-02-02 at 17 29 21

@alisoleimani

Copy link
Copy Markdown
Author

@alisoleimani should it be also added here to allow enabling access grants for secret? I had to add it here in duckdb-aws extension also, to allow usage like this

CREATE SECRET secret (
        TYPE s3,
        PROVIDER credential_chain,
        CHAIN process,
        S3_ACCESS_GRANTS_ENABLED true
);

Depends if we want to add it or not, I do not see a use case for that yet, however if duckdb team asks us to add it to secret we can follow your suggestion

@alisoleimani
alisoleimani marked this pull request as draft February 4, 2026 09:46
@alisoleimani
alisoleimani marked this pull request as ready for review February 4, 2026 10:16

@Tmonster Tmonster left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to take a longer look at this and I've left a couple of comments.

My main thought, however, is that this seems very aws specific, is there a reason you did not implement this in the duckdb-aws extension? Possibly the aws-cpp-sdk has a number of optimizations for this workflow?

Comment thread src/s3fs.cpp
Comment thread src/s3fs.cpp Outdated
Comment thread src/s3fs.cpp Outdated
Comment thread src/s3fs.cpp
timestamp_t expiration {};
};

static LRUCache<string, string> AccountIdCache(1024);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these will be available across all DuckDB connections. So if multiple connections are using s3 access grants and secrets, it's possible they may pollute the caches, don't know how desireable that is

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, how can I create cache instances per connection?

Comment thread src/s3fs.cpp
Comment thread src/s3fs.cpp Outdated
…ws responses is parsed properly, fix missed 0
@alisoleimani

Copy link
Copy Markdown
Author

I need to take a longer look at this and I've left a couple of comments.

My main thought, however, is that this seems very aws specific, is there a reason you did not implement this in the duckdb-aws extension? Possibly the aws-cpp-sdk has a number of optimizations for this workflow?

As I wanted this flow to happen in s3 access I needed it in s3fs, if there is another possibility to have the same functionality I am open to consider it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants