Support for IRSA#10
Conversation
…RSA based resource access
…RSA based resource access
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
Sequence DiagramShows the PR change where AWSPubSubAdapter initializes a boto3 Session either with explicit AWS credentials or with no credentials so the AWS SDK can fall back to IAM Roles for Service Accounts (IRSA). This captures the core decision and client creation flow. sequenceDiagram
participant User
participant AWSPubSubAdapter
participant boto3.Session
participant AWS_SDK (env/IRSA/InstanceProfile)
User->>AWSPubSubAdapter: instantiate(adapter, aws_region, aws_access_key_id, aws_secret_access_key, ...)
AWSPubSubAdapter->>boto3.Session: if creds provided -> Session(region, access_key, secret)
alt creds not provided
AWSPubSubAdapter->>boto3.Session: else -> Session() (no explicit creds)
boto3.Session-->>AWS_SDK: SDK falls back to environment / IRSA / instance profile
end
boto3.Session-->>AWSPubSubAdapter: session
AWSPubSubAdapter->>boto3.Session: create sns client (with optional endpoint)
AWSPubSubAdapter->>boto3.Session: create sqs client (with optional endpoint)
AWSPubSubAdapter-->>User: adapter ready (sns_client, sqs_client)
Generated by CodeAnt AI |
Nitpicks 🔍
|
| aws_secret_access_key=aws_secret_access_key | ||
| ) | ||
| else: | ||
| self.my_session = boto3.session.Session() |
There was a problem hiding this comment.
Suggestion: When credentials are omitted to use IAM Roles, the AWS SDK session is created without specifying the region, so the adapter silently ignores the provided region argument and may fail at runtime with "You must specify a region" or use an unexpected default region instead of the caller's intended one. The fix is to still pass aws_region into boto3.session.Session in the no-credentials branch so that default credential providers (including IRSA) are used while the region remains explicitly controlled by the constructor argument. [logic error]
Severity Level: Critical 🚨
- ❌ AWSPubSubAdapter initialization fails when region only passed parametrically.
- ❌ SNS/SQS client creation fails, blocking all pubsub operations.
- ⚠️ Region may silently differ from aws_region argument, causing confusion.| self.my_session = boto3.session.Session() | |
| self.my_session = boto3.session.Session( | |
| region_name=aws_region | |
| ) |
Steps of Reproduction ✅
1. In any Python app, follow the README usage example at `README.md:19-28` but adapt for
IAM Roles as documented at `README.md:31-33`, instantiating `AWSPubSubAdapter` with
`aws_region='us-east-1'`, `aws_access_key_id=''`, `aws_secret_access_key=''`, and a valid
`redis_location`.
2. Ensure no AWS region is configured via environment or shared config (unset
`AWS_REGION`/`AWS_DEFAULT_REGION` and remove default region from `~/.aws/config`) so that
the only intended region source is the `aws_region` constructor argument.
3. Run the code so that `AWSPubSubAdapter.__init__` in `src/pubsublib/aws/main.py:17-35`
executes; because empty strings are falsy, the `else` branch at line 34 runs and calls
`boto3.session.Session()` without `region_name`, ignoring the provided `aws_region`.
4. During the same constructor call, when `self.my_session.client("sns")` is executed at
`src/pubsublib/aws/main.py:36-40`, boto3 attempts to create an SNS client without any
resolved region and raises a `botocore.exceptions.NoRegionError` with a message like "You
must specify a region", preventing the adapter from initializing under the documented IAM
Roles usage.Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** src/pubsublib/aws/main.py
**Line:** 35:35
**Comment:**
*Logic Error: When credentials are omitted to use IAM Roles, the AWS SDK session is created without specifying the region, so the adapter silently ignores the provided region argument and may fail at runtime with "You must specify a region" or use an unexpected default region instead of the caller's intended one. The fix is to still pass `aws_region` into `boto3.session.Session` in the no-credentials branch so that default credential providers (including IRSA) are used while the region remains explicitly controlled by the constructor argument.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.|
CodeAnt AI finished reviewing your PR. |
There was a problem hiding this comment.
Pull request overview
Adds AWS IRSA (IAM Roles for Service Accounts) compatibility by allowing the adapter to rely on the AWS SDK’s default credential provider chain when explicit credentials aren’t provided, and updates docs/ownership metadata accordingly.
Changes:
- Conditionally create a
boto3session without explicit credentials to enable IRSA/default provider chain usage. - Document IRSA usage in
README.md. - Update default CODEOWNERS.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
src/pubsublib/aws/main.py |
Adds conditional session initialization intended to support credential-less startup (IRSA). |
README.md |
Adds documentation section describing how to use IRSA with the library. |
.github/CODEOWNERS |
Removes a default code owner entry. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| #### Using AWS IAM Roles for Service Accounts | ||
|
|
||
| Pass `aws_region`, `aws_access_key_id` and `aws_secret_access_key` as empty strings to intialize AWS SDK without credentials, effectively falling back to Service Accounts |
There was a problem hiding this comment.
Typo: “intialize” should be “initialize”.
| Pass `aws_region`, `aws_access_key_id` and `aws_secret_access_key` as empty strings to intialize AWS SDK without credentials, effectively falling back to Service Accounts | |
| Pass `aws_region`, `aws_access_key_id` and `aws_secret_access_key` as empty strings to initialize AWS SDK without credentials, effectively falling back to Service Accounts |
| aws_secret_access_key=aws_secret_access_key | ||
| ) | ||
| else: | ||
| self.my_session = boto3.session.Session() |
There was a problem hiding this comment.
In the IRSA/no-explicit-credentials branch, the session is created without region_name. Since clients are created immediately after, this will raise NoRegionError unless the region is set via env/config. Keep region_name=aws_region in both branches (or make aws_region optional and only omit it when truly not provided).
| self.my_session = boto3.session.Session() | |
| self.my_session = boto3.session.Session(region_name=aws_region) |
| if aws_access_key_id and aws_secret_access_key: | ||
| self.my_session = boto3.session.Session( | ||
| region_name=aws_region, | ||
| aws_access_key_id=aws_access_key_id, | ||
| aws_secret_access_key=aws_secret_access_key | ||
| ) |
There was a problem hiding this comment.
The current if aws_access_key_id and aws_secret_access_key check silently falls back to ambient credentials when only one of the two values is provided (e.g., misconfiguration or typo). Consider validating that either both are provided or neither, and raise a clear error when only one is set to avoid using unintended credentials/accounts.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if sns_endpoint_url != None: | ||
| self.sns_client = self.my_session.client( | ||
| "sns", endpoint_url=sns_endpoint_url) |
There was a problem hiding this comment.
Use is not None for None checks (instead of != None) to match Python best practices and usage elsewhere in the repo. Apply this to both the SNS and SQS endpoint URL checks in this initializer.
|
|
||
| # Default owners for everything in the repo | ||
| * @SaketOH @architv @rdvs @rdhoot-oh @raj-nt | ||
| * @architv @rdvs @raj-nt |
There was a problem hiding this comment.
This change removes @rdhoot-oh in addition to @SaketOH, but the PR description only mentions removing @SaketOH. Please confirm whether @rdhoot-oh should also be removed, or update the PR description accordingly.
User description
This pull request introduces support for using AWS IAM Roles for Service Accounts by allowing the AWS SDK to initialize without explicit credentials, and updates documentation to reflect this new usage pattern. Additionally, there is a minor update to the repository's code ownership.
AWS IAM Roles for Service Accounts support:
src/pubsublib/aws/main.pyto initialize the AWS SDK session without credentials whenaws_access_key_idandaws_secret_access_keyare not provided, enabling the use of IAM Roles for Service Accounts.README.mdto document how to use AWS IAM Roles for Service Accounts by passing empty strings for AWS credentials.Repository ownership:
@SaketOHfrom the default owners in.github/CODEOWNERS.CodeAnt-AI Description
Allow AWS SDK to initialize without credentials to support Kubernetes IRSA
What Changed
Impact
✅ Works with Kubernetes IRSA for AWS access✅ Fewer credential misconfiguration errors when running in-cluster✅ Clearer repository ownership💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.