I'm not deeply involved in the STS implementation in Ozone. Please reach out if someone's interested in helping out.
---------- Forwarded message --------- From: Flavin, John <[email protected]> Date: Thu, Nov 20, 2025 at 10:44 AM Subject: [DISCUSS] S3A: Custom STS endpoint support for WebIdentityTokenFileCredentialsProvider To: [email protected] <[email protected]> Hi all, I'd like to discuss adding support for configuring a custom STS endpoint when using WebIdentityTokenFileCredentialsProvider with the S3A connector. Our use case is that we're deploying Hadoop-based services/workloads (Hive, Trino, Spark) on Kubernetes. We currently have two platform targets: on-prem with MinIO as the S3-compatible object storage, and we're adding support for AWS. Our initial on-prem deployment uses static keys to access MinIO. While adding AWS support we started using IRSA, which means using the WebIdentityTokenFileCredentialsProvider for our Hadoop services. We wanted to consolidate our implementation to use the same credentials provider for both on-prem and AWS, which would allow us to eliminate static keys and use Kubernetes service-account based authentication for on-prem deployments. MinIO Operator provides an STS implementation. However, WebIdentityTokenFileCredentialsProvider always sends STS requests to sts.amazonaws.com and there's no way to redirect them to a custom endpoint, like our on-prem MinIO STS. There is support in the underlying Java AWS SDK v2: StsWebIdentityTokenFileCredentialsProvider accepts a custom-configured STS client with endpointOverride(). WebIdentityTokenFileCredentialsProvider creates an internal STS client that doesn't respect the standard environment variable AWS_ENDPOINT_URL_STS. For comparison, boto3/Python SDK handles this correctly via the environment variable with no application logic required, but Java SDK v2 requires explicit configuration that Hadoop doesn't currently perform. By analogy with AssumedRoleCredentialProvider, which has - fs.s3a.assumed.role.sts.endpoint - fs.s3a.assumed.role.sts.endpoint.region I ask that you consider adding something along the lines of - fs.s3a.webidentity.sts.endpoint - Custom STS endpoint for WebIdentity authentication - fs.s3a.webidentity.sts.endpoint.region - Region for the custom WebIdentity STS endpoint Or even adding new common configuration properties - fs.s3a.sts.endpoint - fs.s3a.sts.endpoint.region that both AssumedRoleCredentialProvider and WebIdentityTokenFileCredentialsProvider could use. When these properties are set, the S3A connector would use StsWebIdentityTokenFileCredentialsProvider with a custom STS client instead of the default WebIdentityTokenFileCredentialsProvider. 1. Does this seem like a reasonable addition to the S3A connector? 2. Is there an existing or planned approach for custom STS endpoints with WebIdentity that I missed in my research? I'm willing to contribute a patch if there's interest in this feature. I might need a bit of hand-holding as I'm not familiar with the Hadoop internals or submissions process, but I could hopefully get there with time. Thanks, John Flavin ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
