Skip to content

Support for IRSA#10

Merged
raj-nt merged 3 commits into
mainfrom
feature/OH-2226
Feb 19, 2026
Merged

Support for IRSA#10
raj-nt merged 3 commits into
mainfrom
feature/OH-2226

Conversation

@raj-nt

@raj-nt raj-nt commented Feb 19, 2026

Copy link
Copy Markdown
Collaborator

User description

This pull request introduces support for using AWS IAM Roles for Service Accounts by allowing the AWS SDK to initialize without explicit credentials, and updates documentation to reflect this new usage pattern. Additionally, there is a minor update to the repository's code ownership.

AWS IAM Roles for Service Accounts support:

  • Updated src/pubsublib/aws/main.py to initialize the AWS SDK session without credentials when aws_access_key_id and aws_secret_access_key are not provided, enabling the use of IAM Roles for Service Accounts.
  • Updated README.md to document how to use AWS IAM Roles for Service Accounts by passing empty strings for AWS credentials.

Repository ownership:

  • Removed @SaketOH from the default owners in .github/CODEOWNERS.

CodeAnt-AI Description

Allow AWS SDK to initialize without credentials to support Kubernetes IRSA

What Changed

  • When no AWS access key and secret are provided, the adapter now creates the AWS session without explicit credentials so the process can rely on pod service-account roles (IRSA) or other ambient credentials.
  • README updated with instructions to pass empty strings for AWS credentials to enable the IRSA behavior.
  • Removed a username from the repository default CODEOWNERS list.

Impact

✅ Works with Kubernetes IRSA for AWS access
✅ Fewer credential misconfiguration errors when running in-cluster
✅ Clearer repository ownership

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Copilot AI review requested due to automatic review settings February 19, 2026 10:10
@raj-nt raj-nt requested review from architv and rdvs as code owners February 19, 2026 10:10
@codeant-ai

codeant-ai Bot commented Feb 19, 2026

Copy link
Copy Markdown

CodeAnt AI is reviewing your PR.


Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

@codeant-ai codeant-ai Bot added the size:S This PR changes 10-29 lines, ignoring generated files label Feb 19, 2026
@codeant-ai

codeant-ai Bot commented Feb 19, 2026

Copy link
Copy Markdown

Sequence Diagram

Shows the PR change where AWSPubSubAdapter initializes a boto3 Session either with explicit AWS credentials or with no credentials so the AWS SDK can fall back to IAM Roles for Service Accounts (IRSA). This captures the core decision and client creation flow.

sequenceDiagram
    participant User
    participant AWSPubSubAdapter
    participant boto3.Session
    participant AWS_SDK (env/IRSA/InstanceProfile)

    User->>AWSPubSubAdapter: instantiate(adapter, aws_region, aws_access_key_id, aws_secret_access_key, ...)
    AWSPubSubAdapter->>boto3.Session: if creds provided -> Session(region, access_key, secret)
    alt creds not provided
        AWSPubSubAdapter->>boto3.Session: else -> Session() (no explicit creds)
        boto3.Session-->>AWS_SDK: SDK falls back to environment / IRSA / instance profile
    end
    boto3.Session-->>AWSPubSubAdapter: session
    AWSPubSubAdapter->>boto3.Session: create sns client (with optional endpoint)
    AWSPubSubAdapter->>boto3.Session: create sqs client (with optional endpoint)
    AWSPubSubAdapter-->>User: adapter ready (sns_client, sqs_client)
Loading

Generated by CodeAnt AI

@codeant-ai

codeant-ai Bot commented Feb 19, 2026

Copy link
Copy Markdown

Nitpicks 🔍

🔒 No security issues identified
⚡ Recommended areas for review

  • Partial credentials
    The condition if aws_access_key_id and aws_secret_access_key relies on truthiness; if only one credential is supplied (or a whitespace string) the code will fall into the no-credentials branch. This can produce confusing behavior. Validate that both credentials are present (non-empty after trimming) or raise/log a clear error.

  • Missing region
    When no explicit AWS credentials are provided the code constructs a boto3 Session without a region. If the session lacks region configuration, client calls may fail due to missing region/endpoint resolution. The session should still include the provided aws_region so clients are properly configured for the target region.

Comment thread src/pubsublib/aws/main.py
aws_secret_access_key=aws_secret_access_key
)
else:
self.my_session = boto3.session.Session()

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: When credentials are omitted to use IAM Roles, the AWS SDK session is created without specifying the region, so the adapter silently ignores the provided region argument and may fail at runtime with "You must specify a region" or use an unexpected default region instead of the caller's intended one. The fix is to still pass aws_region into boto3.session.Session in the no-credentials branch so that default credential providers (including IRSA) are used while the region remains explicitly controlled by the constructor argument. [logic error]

Severity Level: Critical 🚨
- ❌ AWSPubSubAdapter initialization fails when region only passed parametrically.
- ❌ SNS/SQS client creation fails, blocking all pubsub operations.
- ⚠️ Region may silently differ from aws_region argument, causing confusion.
Suggested change
self.my_session = boto3.session.Session()
self.my_session = boto3.session.Session(
region_name=aws_region
)
Steps of Reproduction ✅
1. In any Python app, follow the README usage example at `README.md:19-28` but adapt for
IAM Roles as documented at `README.md:31-33`, instantiating `AWSPubSubAdapter` with
`aws_region='us-east-1'`, `aws_access_key_id=''`, `aws_secret_access_key=''`, and a valid
`redis_location`.

2. Ensure no AWS region is configured via environment or shared config (unset
`AWS_REGION`/`AWS_DEFAULT_REGION` and remove default region from `~/.aws/config`) so that
the only intended region source is the `aws_region` constructor argument.

3. Run the code so that `AWSPubSubAdapter.__init__` in `src/pubsublib/aws/main.py:17-35`
executes; because empty strings are falsy, the `else` branch at line 34 runs and calls
`boto3.session.Session()` without `region_name`, ignoring the provided `aws_region`.

4. During the same constructor call, when `self.my_session.client("sns")` is executed at
`src/pubsublib/aws/main.py:36-40`, boto3 attempts to create an SNS client without any
resolved region and raises a `botocore.exceptions.NoRegionError` with a message like "You
must specify a region", preventing the adapter from initializing under the documented IAM
Roles usage.
Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** src/pubsublib/aws/main.py
**Line:** 35:35
**Comment:**
	*Logic Error: When credentials are omitted to use IAM Roles, the AWS SDK session is created without specifying the region, so the adapter silently ignores the provided region argument and may fail at runtime with "You must specify a region" or use an unexpected default region instead of the caller's intended one. The fix is to still pass `aws_region` into `boto3.session.Session` in the no-credentials branch so that default credential providers (including IRSA) are used while the region remains explicitly controlled by the constructor argument.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
👍 | 👎

@codeant-ai

codeant-ai Bot commented Feb 19, 2026

Copy link
Copy Markdown

CodeAnt AI finished reviewing your PR.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds AWS IRSA (IAM Roles for Service Accounts) compatibility by allowing the adapter to rely on the AWS SDK’s default credential provider chain when explicit credentials aren’t provided, and updates docs/ownership metadata accordingly.

Changes:

  • Conditionally create a boto3 session without explicit credentials to enable IRSA/default provider chain usage.
  • Document IRSA usage in README.md.
  • Update default CODEOWNERS.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
src/pubsublib/aws/main.py Adds conditional session initialization intended to support credential-less startup (IRSA).
README.md Adds documentation section describing how to use IRSA with the library.
.github/CODEOWNERS Removes a default code owner entry.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread README.md Outdated

#### Using AWS IAM Roles for Service Accounts

Pass `aws_region`, `aws_access_key_id` and `aws_secret_access_key` as empty strings to intialize AWS SDK without credentials, effectively falling back to Service Accounts

Copilot AI Feb 19, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: “intialize” should be “initialize”.

Suggested change
Pass `aws_region`, `aws_access_key_id` and `aws_secret_access_key` as empty strings to intialize AWS SDK without credentials, effectively falling back to Service Accounts
Pass `aws_region`, `aws_access_key_id` and `aws_secret_access_key` as empty strings to initialize AWS SDK without credentials, effectively falling back to Service Accounts

Copilot uses AI. Check for mistakes.
Comment thread src/pubsublib/aws/main.py
aws_secret_access_key=aws_secret_access_key
)
else:
self.my_session = boto3.session.Session()

Copilot AI Feb 19, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the IRSA/no-explicit-credentials branch, the session is created without region_name. Since clients are created immediately after, this will raise NoRegionError unless the region is set via env/config. Keep region_name=aws_region in both branches (or make aws_region optional and only omit it when truly not provided).

Suggested change
self.my_session = boto3.session.Session()
self.my_session = boto3.session.Session(region_name=aws_region)

Copilot uses AI. Check for mistakes.
Comment thread src/pubsublib/aws/main.py
Comment on lines +28 to +33
if aws_access_key_id and aws_secret_access_key:
self.my_session = boto3.session.Session(
region_name=aws_region,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key
)

Copilot AI Feb 19, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current if aws_access_key_id and aws_secret_access_key check silently falls back to ambient credentials when only one of the two values is provided (e.g., misconfiguration or typo). Consider validating that either both are provided or neither, and raise a clear error when only one is set to avoid using unintended credentials/accounts.

Copilot uses AI. Check for mistakes.
Comment thread README.md Outdated
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 19, 2026 10:18

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/pubsublib/aws/main.py
Comment on lines 36 to 38
if sns_endpoint_url != None:
self.sns_client = self.my_session.client(
"sns", endpoint_url=sns_endpoint_url)

Copilot AI Feb 19, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use is not None for None checks (instead of != None) to match Python best practices and usage elsewhere in the repo. Apply this to both the SNS and SQS endpoint URL checks in this initializer.

Copilot uses AI. Check for mistakes.
Comment thread .github/CODEOWNERS

# Default owners for everything in the repo
* @SaketOH @architv @rdvs @rdhoot-oh @raj-nt
* @architv @rdvs @raj-nt

Copilot AI Feb 19, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change removes @rdhoot-oh in addition to @SaketOH, but the PR description only mentions removing @SaketOH. Please confirm whether @rdhoot-oh should also be removed, or update the PR description accordingly.

Copilot uses AI. Check for mistakes.
@raj-nt raj-nt merged commit ee22cf7 into main Feb 19, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:S This PR changes 10-29 lines, ignoring generated files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants