Skip to content

Add handling for new grafana assume role keys #338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add handling for new grafana assume role keys #338

wants to merge 1 commit into from

Conversation

iwysiu
Copy link
Contributor

@iwysiu iwysiu commented Sep 30, 2025

The new keys are located at a new folder and there may be multiple of them, so updating the logic for that.

@iwysiu iwysiu requested a review from a team as a code owner September 30, 2025 22:14
@iwysiu iwysiu requested review from idastambuk and njvrzm and removed request for a team September 30, 2025 22:14
njvrzm
njvrzm requested changes Oct 3, 2025
View reviewed changes
Copy link
Contributor

@njvrzm njvrzm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One blocking comment I'm afraid - let me know if you want to chat about approaches

pkg/awsauth/settings.go
}

creds := client.NewStaticCredentialsProvider(string(accessKey), string(secretKey), "")
_, err := creds.Retrieve(ctx)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately this doesn't actually validate the credentials - you don't get an error regardless of what strings you pass in. We could validate them here by using GetCallerIdentity or the like, but that takes a nontrivial amount of time so we probably don't want to do it every time.

One approach would be to set a global to aws-temp-credentials-1 and use that when choosing keys, then in WithAssumeRole if we get an error indicating the credentials are invalid (have to check what that looks like) we switch the global to aws-temp-credentials-2 and retry (once).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@njvrzm njvrzm njvrzm requested changes

@idastambuk idastambuk Awaiting requested review from idastambuk idastambuk is a code owner automatically assigned from grafana/aws-datasources

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iwysiu @njvrzm