Fix access to public S3 buckets form restricted Intance/Job Roles #6553
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…o access public s3 Signed-off-by: jorgee <[email protected]>
Signed-off-by: jorgee <[email protected]>
✅ Deploy Preview for nextflow-docs-staging canceled.
|
pditommaso
reviewed
Nov 11, 2025
pditommaso
reviewed
Nov 11, 2025
pditommaso
reviewed
Nov 11, 2025
| echo "$output" | ||
| return 1 | ||
| fi | ||
| else |
Member
There was a problem hiding this comment.
Theres' no way to avoid the fallback logic and make this predictable?
Contributor
Author
There was a problem hiding this comment.
It is tricky, the only way to check if it is public in this condition is just try to access. We could reduce the number of fallbacks by using the try we do in the ls for the cp, so if the ls has worked with --no-sign-request, we will use it in the cp. It will be a complex code but I will just fallback once per file.
Contributor
Author
There was a problem hiding this comment.
This could be the alternative only falling back for ls
nxf_s3_download() {
local source=\$1
local target=\$2
local file_name=\$(basename \$1)
local opts=(--only-show-errors)
local ls_output
if ! ls_output=\$($cli s3 ls \$source 2>&1); then
if echo "\$ls_output" | grep -Eq "(AccessDenied|Forbidden|403)"; then
echo "Access denied, retrying unsigned request..."
if ! ls_output=\$($cli s3 ls --no-sign-request \$source 2>&1); then
echo \$ls_output
return 1
else
opts+=(--no-sign-request)
fi
else
echo \$ls_output
return 1
fi
fi
local is_dir=\$(echo \$ls_output | grep -F "PRE \${file_name}/" -c)
if [[ \$is_dir == 1 ]]; then
opts+=(--recursive)
fi
$cli s3 cp "\${opts[@]}" "\$source" "\$target"
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
close #4732
Depite public s3 buckets can be accessed without s3 credentials, the access to this buckets using the AWS SDK or CLI can fail if we get the credentials from instance or job roles that only allow to access a certain private s3 buckets. It produces errors when running pipelines combining public s3 buckets with private buckets.
The
aws.client.anonymousoption does not solve the issue by two reasons:1- It only aplies to SDK actions at head node, and some stage-in operations are happening at the AWS Batch job that uses the AWS CLI.
2- It is aplied to all the clients. If applied the head job cannot access private buckets.
This PR implements a fallback mechanism for S3 download operations in the CLI and SDK.
I think this approach can deprecate the
aws.client.anonymousflag