SDK | Update aws sts cred method

[naveenpaul1]

Describe the Problem

account_server and bucket_server still using old AWS s2 sts cred generating code

Explain the Changes

1. Update account_server and bucket_server replace generate_aws_sts_creds() with generate_aws_sdkv3_sts_creds()

Issues: Fixed #xxx / Gap #xxx

Testing Instructions:

• Doc added/updated
• Tests added

Summary by CodeRabbit

• Refactor
  • Migrated AWS STS credential handling to AWS SDK v3 across S3 operations (read/write delegation, namespace setup, account checks, and bucket client creation).
  • Improves compatibility and stability when using temporary credentials or assumed roles for S3 access.
  • No user action required; behavior remains the same with enhanced reliability.

[coderabbitai]

Walkthrough

Replaces AWS STS credential and STS-S3 client helper calls with AWS SDK v3 equivalents across S3-related paths. Updated functions: generate_aws_sdkv3_sts_creds and createSTSS3SDKv3Client. Logic, parameters, branching, and error handling remain unchanged.

Changes

Cohort / File(s)	Summary of changes
Switch to SDK v3 STS credential generation src/agent/block_store_services/block_store_client.js, src/server/system_services/account_server.js, src/server/system_services/bucket_server.js	Replaced calls to cloud_utils.generate_aws_sts_creds(...) with cloud_utils.generate_aws_sdkv3_sts_creds(...) when STS ARN is present; assignments to accessKeyId/secretAccessKey/sessionToken unchanged.
Switch to SDK v3 STS-backed S3 client creation src/sdk/namespace_s3.js	Replaced cloud_utils.createSTSS3Client(...) with cloud_utils.createSTSS3SDKv3Client(...) under STS ARN condition; parameters and flow unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Caller as Caller (BlockStore/Namespace/Servers)
  participant CU as cloud_utils
  participant STS as AWS STS
  participant S3 as AWS S3 Client (SDK v3)

  Caller->>CU: generate_aws_sdkv3_sts_creds(params, scope)
  CU->>STS: AssumeRole / GetSessionToken
  STS-->>CU: Temporary creds (AK/SK/SessionToken)
  CU-->>Caller: STS creds
  Caller->>S3: create client (v3) with creds
  S3-->>Caller: Client instance
  note over Caller,S3: Subsequent S3 ops proceed as before

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• SDK | Upgrade AWS SDK to v3 - Block Store S3 #9067 — Introduces SDK v3 STS/S3 helpers used by this PR (generate_aws_sdkv3_sts_creds and createSTSS3SDKv3Client).
• SDK | Upgrade AWS SDK to v3 - NamespaceS3 #9163 — Migrates cloud_utils and NamespaceS3 to AWS SDK v3, aligning with the helper switches here.
• bucket logging - adapt s3 conn to aws sdk v3 (dfs 3887) #9210 — Continues S3/STS migration to SDK v3; complements this PR’s credential/client updates.

Suggested labels

size/M

Suggested reviewers

• dannyzaken
• liranmauda
• jackyalbo
• tangledbytes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly describes the primary change—updating the AWS STS credential generation method used by SDK-related code paths to the SDK v3 variant—and directly maps to the replacements shown in the diff. It is concise, focused, and meaningful for a reviewer scanning PR history.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4440839 and 64ffae8.

📒 Files selected for processing (4)

• src/agent/block_store_services/block_store_client.js (2 hunks)
• src/sdk/namespace_s3.js (1 hunks)
• src/server/system_services/account_server.js (1 hunks)
• src/server/system_services/bucket_server.js (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• src/server/system_services/bucket_server.js
• src/server/system_services/account_server.js
• src/sdk/namespace_s3.js
• src/agent/block_store_services/block_store_client.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests
• GitHub Check: run-package-lock-validation

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

src/agent/block_store_services/block_store_client.js (2)

306-310: Avoid logging secrets (omit more keys).

Current omit only hides secretAccessKey. STS/non-STS paths may expose secret_key and sessionToken.

-                dbg.log1('_delegate_write_block_s3:',
-                    'got s3_params from block_store. writing using S3 sdk. s3_params =',
-                    _.omit(s3_params, 'secretAccessKey'),
+                dbg.log1('_delegate_write_block_s3:',
+                    'got s3_params from block_store. writing using S3 sdk. s3_params =',
+                    _.omit(s3_params, ['secretAccessKey','secret_key','sessionToken']),
                     'aws_sts_arn', bs_info.connection_params.aws_sts_arn);

---

359-363: Avoid logging secrets on read path.

Mirror the logging scrub.

-                dbg.log1('_delegate_read_block_s3:',
-                    'got s3_params from block_store. writing using S3 sdk. s3_params =',
-                    _.omit(s3_params, 'secretAccessKey'),
+                dbg.log1('_delegate_read_block_s3:',
+                    'got s3_params from block_store. writing using S3 sdk. s3_params =',
+                    _.omit(s3_params, ['secretAccessKey','secret_key','sessionToken']),
                     'aws_sts_arn', bs_info.connection_params.aws_sts_arn);

src/sdk/namespace_s3.js (1)

69-76: Action required — STS S3 client is method-compatible but does NOT preserve agent/endpoint/auto-region; fix needed.

createSTSS3SDKv3Client returns a v3 S3 instance (supports listObjects/getObject and .send) and sets region from params, but it does not reuse the original client's requestHandler/HTTP agent, endpoint, or the S3ClientAutoRegion send-wrapper. NamespaceS3._prepare_sts_client calls it with only RoleSessionName, so custom agent/endpoint/auto-region behavior from the original this.s3 will be lost.

• Location: src/util/cloud_utils.js:createSTSS3SDKv3Client — currently builds new S3({ credentials, region, endpoint: additionalParams.endpoint, requestHandler: new NodeHttpHandler({ httpsAgent: additionalParams.httpOptions }), ... }).
• Caller: src/sdk/namespace_s3.js:_prepare_sts_client — passes only RoleSessionName (no endpoint/agent), overwriting the previous this.s3 created by noobaa_s3_client.get_s3_client_v3_params(...).

Recommended fixes (choose one):

• Pass endpoint and the underlying agent into additionalParams when calling createSTSS3SDKv3Client (e.g., additionalParams.endpoint = this.s3_params.endpoint and additionalParams.httpOptions = http_utils.get_agent_by_endpoint(this.s3_params.endpoint)) so requestHandler/agent and forcePathStyle are preserved.
• Or modify createSTSS3SDKv3Client to reuse params.requestHandler / params.httpOptions (or construct requestHandler from params.endpoint) and/or return/wrap the client with the existing S3ClientAutoRegion wrapper (see src/sdk/noobaa_s3_client/noobaa_s3_client_sdkv3.js) so the send() auto-region behavior is preserved.

Losing agent/endpoint or the auto-region send override is a behavioral regression and must be addressed.

🧹 Nitpick comments (3)

src/sdk/namespace_s3.js (1)

71-73: Nit: clearer session name for auditing.

Use a RoleSessionName that reflects this component.

-            const additionalParams = {
-                RoleSessionName: 'block_store_operations',
-            };
+            const additionalParams = {
+                RoleSessionName: 'namespace_s3_operations',
+            };

src/agent/block_store_services/block_store_client.js (2)

300-305: STS v3 creds: tolerate both key casings.

Prevent runtime auth issues if the helper returns capitalized fields.

-                if (bs_info.connection_params.aws_sts_arn) {
-                    const creds = await cloud_utils.generate_aws_sdkv3_sts_creds(s3_params, "_delegate_write_block_s3_session");
-                    s3_params.accessKeyId = creds.accessKeyId;
-                    s3_params.secretAccessKey = creds.secretAccessKey;
-                    s3_params.sessionToken = creds.sessionToken;
-                }
+                if (bs_info.connection_params.aws_sts_arn) {
+                    const creds = await cloud_utils.generate_aws_sdkv3_sts_creds(s3_params, "_delegate_write_block_s3_session");
+                    s3_params.accessKeyId = creds.accessKeyId || creds.AccessKeyId;
+                    s3_params.secretAccessKey = creds.secretAccessKey || creds.SecretAccessKey;
+                    s3_params.sessionToken = creds.sessionToken || creds.SessionToken;
+                }

---

354-358: STS v3 creds: casing tolerance on read path as well.

Match the write-path fix.

-                if (bs_info.connection_params.aws_sts_arn) {
-                    const creds = await cloud_utils.generate_aws_sdkv3_sts_creds(s3_params, "_delegate_read_block_s3_session");
-                    s3_params.accessKeyId = creds.accessKeyId;
-                    s3_params.secretAccessKey = creds.secretAccessKey;
-                    s3_params.sessionToken = creds.sessionToken;
-                }
+                if (bs_info.connection_params.aws_sts_arn) {
+                    const creds = await cloud_utils.generate_aws_sdkv3_sts_creds(s3_params, "_delegate_read_block_s3_session");
+                    s3_params.accessKeyId = creds.accessKeyId || creds.AccessKeyId;
+                    s3_params.secretAccessKey = creds.secretAccessKey || creds.SecretAccessKey;
+                    s3_params.sessionToken = creds.sessionToken || creds.SessionToken;
+                }

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29d20c7 and 4440839.

📒 Files selected for processing (4)

• src/agent/block_store_services/block_store_client.js (2 hunks)
• src/sdk/namespace_s3.js (1 hunks)
• src/server/system_services/account_server.js (1 hunks)
• src/server/system_services/bucket_server.js (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

src/server/system_services/account_server.js (1)

src/server/system_services/bucket_server.js (2)

• creds (2040-2040)
• cloud_utils (25-25)

src/server/system_services/bucket_server.js (1)

src/server/system_services/account_server.js (2)

• creds (1054-1054)
• cloud_utils (16-16)

src/agent/block_store_services/block_store_client.js (2)

src/server/system_services/account_server.js (3)

• creds (1054-1054)
• cloud_utils (16-16)
• s3_params (1064-1074)

src/server/system_services/bucket_server.js (3)

• creds (2040-2040)
• cloud_utils (25-25)
• s3_params (2048-2058)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests
• GitHub Check: run-package-lock-validation

🔇 Additional comments (2)

src/server/system_services/bucket_server.js (1)

2036-2044: No change needed — helper already returns lower-cased STS fields.
generate_aws_sdkv3_sts_creds maps response.Credentials.AccessKeyId/SecretAccessKey/SessionToken to accessKeyId/secretAccessKey/sessionToken (see src/util/cloud_utils.js) and callers/tests use the lower-cased keys.

Likely an incorrect or invalid review comment.

src/server/system_services/account_server.js (1)

1053-1058: No change required — helper returns lowerCamel STS creds.
generate_aws_sdkv3_sts_creds (src/util/cloud_utils.js) returns { accessKeyId, secretAccessKey, sessionToken }, so the current assignments are correct and the capitalization guard is unnecessary.

Likely an incorrect or invalid review comment.