Closed JonMerlevede closed 1 year ago
Ah sorry about that, i am currently on holiday and won't be able to do any work on this for 2 weeks. However in the meantime I am happy to receive any PRs.
Hi @JonMerlevede really sorry for the super long delay in this. I have been busy working on the R AWS SDK (paws). Would a simple fix be to remove: https://github.com/DyfanJones/RAthena/blob/d8646bc2c045d576b0ff30fb444043eef97b1e09/R/Driver.R#L246 and allow boto3 do the work instead.
Please try out:
remotes::install_github("dyfanjones/RAthena", ref = "arn_role")
Let me know if this fixes the issue
RAthena v2.6.1 has been released to cran. It now lets boto3 sdk handle the role from environment variable AWS_ROLE_ARN. If this is still any issue please re-open the ticket
Issue Description
The code for
dbConnect()
checks if theAWS_ROLE_ARN
environment variable is set, and performs an explicit assume role operation if it is. To perform the assume role operation, it calls on Boto3. Boto3 also usesAWS_ROLE_ARN
to determine which role to assume, for example when using web identity authentication. This causes RAthena to try to assume role A from role A, which is always superfluous and often denied.Reproducible Example
Set the
AWS_ROLE_ARN
andAWS_WEB_IDENTITY_TOKEN_FILE
environment variables; Boto3 can now authenticate.Assuming that
AWS_ROLE_ARN
has valuearn:aws:iam::123456789101:role/A
, call ondbConnect()
and get the exception:If unsetting
AWS_ROLE_ARN
, call ondbConnect()
and get the exception:Proposed solution
Allow a value for the
aws_role
parameter that does not trigger an assume role operation, even ifAWS_ROLE_ARN
is set.