TIMX 540 - adjust AWS credential chain for ECS context#164
Merged
ghukill merged 2 commits intoepic-TIMX-515from Aug 14, 2025
Merged
TIMX 540 - adjust AWS credential chain for ECS context#164ghukill merged 2 commits intoepic-TIMX-515from
ghukill merged 2 commits intoepic-TIMX-515from
Conversation
Why these changes are being introduced: It sounds like the best option for ECS tasks is using 'instance' as the provider chain type, where for local dev and/or lambdas it might be 'sso' or 'env'. Not having 'instance' appears to cause failures in the ECS task. How this addresses that need: By omitting the 'chain' option entirely from DuckDB secret creation we allow the default provider chain to take effect. Given our fairly normal usage of DuckDB and S3, this is probably the best approach. Side effects of this change: * DuckDB to S3 connections work in ECS Relevant ticket(s): * https://mitlibraries.atlassian.net/browse/TIMX-540
ghukill
commented
Aug 14, 2025
| create or replace secret aws_s3_secret ( | ||
| type s3, | ||
| provider credential_chain, | ||
| chain 'sso;env;config', |
Contributor
Author
There was a problem hiding this comment.
This here was the key change.
ehanson8
approved these changes
Aug 14, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose and background context
Small tweaks to AWS secret creation in DuckDB context after testing in ECS context.
In short: the removal of
chainallows DuckDB to try all methods, e.g.sso,env,instance, etc., until it finds credentials. Previously I had a list of types I thought would work, butinstancewas the magic one for ECS Fargate tasks!How can a reviewer manually see the effects of these changes?
Successful run in Dev 1 as part of StepFunction (link):
Ultimatley the run failed, but that was expected; it was the success of Transmog here that was important 😎.
Includes new or updated dependencies?
NO
Changes expectations for external applications?
YES: Transmog, pipeline lambda, and TIM should be able to DuckDB connect to S3 assets
What are the relevant tickets?