Summary
When the AWS Secrets Manager secrets provider needs to authenticate against a different AWS account/credentials than the default S3 datastore, there is no configuration to supply custom session variables or client parameters.
The S3 datatools client supports this via METAFLOW_DATATOOLS_SESSION_VARS / METAFLOW_DATATOOLS_CLIENT_PARAMS, but there is no equivalent METAFLOW_AWS_SECRETS_MANAGER_SESSION_VARS / METAFLOW_AWS_SECRETS_MANAGER_CLIENT_PARAMS.
Details
get_aws_client already accepts session_vars and client_params, and the S3 datatools path wires config values straight through:
|
def get_aws_client( |
|
module, with_error=False, role_arn=None, session_vars=None, client_params=None |
|
): |
|
return cached_provider_class.get_client( |
|
module, |
|
with_error, |
|
role_arn=role_arn, |
|
session_vars=session_vars, |
|
client_params=client_params, |
|
) |
The AWS Secrets Manager provider, however, only passes region_name and role_arn, leaving session_vars / client_params unset:
|
secrets_manager_client = get_aws_client( |
|
"secretsmanager", |
|
client_params={"region_name": effective_aws_region}, |
|
role_arn=role, |
|
) |
As a result there is no way to customize the botocore session/client for Secrets Manager (e.g. supplying a different profile, credential provider, or endpoint) when the secret lives in a different account/credential context than the S3 store.
The only available override is AWS_SECRETS_MANAGER_DEFAULT_ROLE (role assumption), which doesn't cover all credential scenarios, including ours.
Expected behavior
Provide config options comparable to the datatools ones, e.g. METAFLOW_AWS_SECRETS_MANAGER_SESSION_VARS and METAFLOW_AWS_SECRETS_MANAGER_CLIENT_PARAMS passed through to get_aws_client when the Secrets Manager provider builds its client, so custom credentials can be supplied via the environment/config.
Relevant files
Environment
Metaflow version: 2.19.33
Summary
When the AWS Secrets Manager secrets provider needs to authenticate against a different AWS account/credentials than the default S3 datastore, there is no configuration to supply custom session variables or client parameters.
The S3 datatools client supports this via
METAFLOW_DATATOOLS_SESSION_VARS/METAFLOW_DATATOOLS_CLIENT_PARAMS, but there is no equivalentMETAFLOW_AWS_SECRETS_MANAGER_SESSION_VARS/METAFLOW_AWS_SECRETS_MANAGER_CLIENT_PARAMS.Details
get_aws_clientalready acceptssession_varsandclient_params, and the S3 datatools path wires config values straight through:metaflow/metaflow/plugins/aws/aws_client.py
Lines 94 to 96 in 9088ec4
metaflow/metaflow/plugins/aws/aws_client.py
Lines 110 to 116 in 9088ec4
The AWS Secrets Manager provider, however, only passes
region_nameandrole_arn, leavingsession_vars/client_paramsunset:metaflow/metaflow/plugins/aws/secrets_manager/aws_secrets_manager_secrets_provider.py
Lines 97 to 101 in 9088ec4
As a result there is no way to customize the botocore session/client for Secrets Manager (e.g. supplying a different profile, credential provider, or endpoint) when the secret lives in a different account/credential context than the S3 store.
The only available override is
AWS_SECRETS_MANAGER_DEFAULT_ROLE(role assumption), which doesn't cover all credential scenarios, including ours.Expected behavior
Provide config options comparable to the datatools ones, e.g.
METAFLOW_AWS_SECRETS_MANAGER_SESSION_VARSandMETAFLOW_AWS_SECRETS_MANAGER_CLIENT_PARAMSpassed through toget_aws_clientwhen the Secrets Manager provider builds its client, so custom credentials can be supplied via the environment/config.Relevant files
Environment
Metaflow version: 2.19.33