feat(cubestore): support AWS Web Identity Token File in S3RemoteFs

bsod90 · claude · bsod90 · commit 635d2edea1c9 · 2026-04-14T12:24:59.000-07:00
When CUBESTORE_AWS_ACCESS_KEY_ID is not set and AWS_WEB_IDENTITY_TOKEN_FILE
is present, the credential provider chain falls through to STS
AssumeRoleWithWebIdentity — reading the JWT from the token file and
exchanging it for temporary session credentials.

The refresh loop now polls the token file mtime every 30 seconds in web
identity mode (vs 3-hour default for static credentials). Credentials are
only re-exchanged when the file actually changes, keeping STS calls minimal.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/rust/cubestore/cubestore/src/remotefs/s3.rs b/rust/cubestore/cubestore/src/remotefs/s3.rs
@@ -94,15 +94,45 @@ fn spawn_creds_refresh_loop(
     region: Region,
     fs: &Arc<S3RemoteFs>,
 ) {
-    // Refresh credentials. TODO: use expiration time.
-    let refresh_every = refresh_interval_from_env();
+    // When AWS_WEB_IDENTITY_TOKEN_FILE is set and no explicit access keys are
+    // provided, the credential chain falls through to STS
+    // AssumeRoleWithWebIdentity.  STS session credentials expire (~1 hour), so
+    // we poll the token file for changes frequently (default 30s) instead of
+    // the default 3-hour static-credential refresh.
+    // CUBESTORE_AWS_CREDS_REFRESH_EVERY_MINS is respected in both modes.
+    let is_web_identity = access_key.is_none()
+        && env::var("AWS_WEB_IDENTITY_TOKEN_FILE").is_ok();
+    let token_file = if is_web_identity {
+        env::var("AWS_WEB_IDENTITY_TOKEN_FILE").ok()
+    } else {
+        None
+    };
+
+    let refresh_every = {
+        let configured = refresh_interval_from_env();
+        if is_web_identity && configured == Duration::from_secs(60 * 180) {
+            // Operator didn't set CUBESTORE_AWS_CREDS_REFRESH_EVERY_MINS —
+            // use 30s default for web identity instead of the 3-hour static default.
+            Duration::from_secs(30)
+        } else {
+            configured
+        }
+    };
+
     if refresh_every.as_secs() == 0 {
         return;
     }
 
     let fs = Arc::downgrade(fs);
+    let mut last_modified = token_file
+        .as_ref()
+        .and_then(|f| std::fs::metadata(f).ok()?.modified().ok());
+
     std::thread::spawn(move || {
-        log::debug!("Started S3 credentials refresh loop");
+        log::debug!(
+            "Started S3 credentials refresh loop (web_identity={})",
+            is_web_identity
+        );
         loop {
             std::thread::sleep(refresh_every);
             let fs = match fs.upgrade() {
@@ -112,6 +142,21 @@ fn spawn_creds_refresh_loop(
                 }
                 Some(fs) => fs,
             };
+
+            // In web identity mode, only refresh when the token file changed.
+            // token_file is None when not in web identity mode, so this block
+            // never activates for static credentials.
+            if let Some(ref file) = token_file {
+                let current_modified = std::fs::metadata(file)
+                    .ok()
+                    .and_then(|m| m.modified().ok());
+                if current_modified == last_modified {
+                    continue;
+                }
+                last_modified = current_modified;
+                info!("Web identity token file changed, refreshing S3 credentials");
+            }
+
             let c = match Credentials::new(
                 access_key.as_deref(),
                 secret_key.as_deref(),
