Fix S3 authentication for IAM roles by including Session token in env vars
See original GitHub issueDescription A clear and concise description of what the bug is. Triton server does not read SESSION_TOKEN environment variable that is required when using IAM roles and temp credentials. Please see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html for more information. S3 resources cannot be accessed by triton even though they are accessible from command line. (Docker containers are usually provisioned with IAM roles and use temporary credentials)
Triton Information What version of Triton are you using? r20.10 Are you using the Triton container or did you build it yourself? Used the container To Reproduce Steps to reproduce the behavior.
Describe the models (framework, inputs, outputs), ideally include the model configuration file (if using an ensemble include the model configuration file for that as well).
Expected behavior
A clear and concise description of what you expected to happen.
tritonserver --model-repository=s3://path/to/model_repo
This fails with cannot read metadata for Bucket
However aws s3 ls s3://path/to/model_repo
works
The solution is to include AWS_SESSION_TOKEN when available and I have created a PR here for the same: https://github.com/triton-inference-server/server/pull/2290
Please merge this if it looks good as I suspect this will resolve a lot of s3 access issues.
Issue Analytics
- State:
- Created 3 years ago
- Comments:12 (6 by maintainers)
Top GitHub Comments
@TomasGajarsky we have noted your request to this enhancement.
@efog Can you try with a recent version of Triton Inference Server? 21.03 is nearly a year old. We updated the version of aws-sdk-cpp used in Triton 8 months ago.
If you see the issue with the new Triton release as well please open a new ticket for the same with necessary details for us to triage the issue
Hi, we have added a test to check the functionality of temporary credential for AWS, and the test is passing. If you are still facing issue with session token, please take a look into the test that starts from L345 towards the end of the script to see if that is the same use-case as yours. If not, please file a separate GitHub issue, so we can follow-up.