Skip to content

OADP-5777: Add automatic S3 bucket region detection and document AWS HeadBucket API behavior #1740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: oadp-dev
Choose a base branch
from
Open

OADP-5777: Add automatic S3 bucket region detection and document AWS HeadBucket API behavior #1740

wants to merge 3 commits into from
+176 −6

Conversation

@kaovilai
Copy link
Member

@kaovilai kaovilai commented May 2, 2025
edited
Loading

Why the changes were made

This PR implements automatic S3 bucket region detection for AWS BackupStorageLocations (BSLs) and documents the expected AWS behavior for the GetBucketRegion function, based on AWS Security's official confirmation.

Key Improvements

  1. Automatic Region Detection: BSLs using AWS S3 will now automatically detect and configure the correct bucket region when not explicitly specified
  2. AWS Security Confirmation: Documents that anonymous credentials work for region detection on both public and private buckets (confirmed by AWS as expected behavior)

Background

We discovered that the AWS SDK's GetBucketRegion function works with anonymous credentials on both public and private S3 buckets. AWS Security has confirmed this is expected behavior, not a security vulnerability:

  • The HeadBucket API endpoint (used internally by GetBucketRegion) does not enforce s3:ListBucket permissions for region retrieval
  • AWS Security Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg

Changes Made

1. S3 Region Detection (pkg/storage/aws/s3.go)

  • Updated GetBucketRegion to use anonymous credentials via credentials.NewStaticCredentialsProvider
  • Added comprehensive comments explaining AWS Security's confirmation
  • Documented that this works for both public and private buckets

2. Auto-Region Detection (pkg/common/common.go)

  • Added automatic region detection in UpdateBackupStorageLocation for AWS BSLs
  • Auto-detection triggers when:
    • Provider is "aws"
    • No custom s3Url is configured (indicating real AWS S3, not S3-compatible storage)
    • No region is already specified in the config
    • A bucket name is provided in ObjectStorage
  • Falls back gracefully if auto-detection fails

3. Test Coverage (pkg/common/common_test.go & pkg/storage/aws/s3_test.go)

  • Added test cases for region auto-detection scenarios:
    • Region already specified (no auto-detection)
    • S3-compatible storage with custom URL (no auto-detection)
    • Real AWS bucket auto-detection with openshift-velero-plugin-s3-auto-region-test-1
  • Enhanced comments in S3 tests documenting AWS behavior for both public and private buckets

Benefits

  • Reduced Configuration Errors: Automatically configures the correct region for AWS S3 buckets
  • Simplified Setup: Users don't need to manually specify regions for AWS BSLs
  • Backwards Compatible: Only applies to actual AWS S3, not S3-compatible storage
  • Well-Documented: Clear documentation of AWS's confirmed behavior with engagement ID reference

How to test the changes made

Run the S3 region tests:

go test -v ./pkg/storage/aws/... -run TestGetBucketRegion

Run the BSL update tests:

go test -v ./pkg/common/... -run TestUpdateBackupStorageLocation

The tests demonstrate that:

  • GetBucketRegion successfully retrieves region information for both public and private buckets using anonymous credentials
  • Auto-detection correctly adds region to BSL configs when appropriate
  • Auto-detection is properly skipped for S3-compatible storage or when region is already specified

Manual Testing

  1. Create a BSL with AWS provider without specifying a region
  2. Verify the region is automatically detected and added to the configuration
  3. Confirm S3-compatible storage (with s3Url) doesn't trigger auto-detection

Fixes: https://issues.redhat.com/browse/OADP-5777

Note

Responses generated with Claude

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 2, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented May 2, 2025
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-5777 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

How to test the changes made

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 2, 2025
@openshift-ci
Copy link

openshift-ci bot commented May 2, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 2, 2025
@kaovilai
Copy link
Member Author

kaovilai commented May 5, 2025

/test unit-test

@weshayutin
Copy link
Contributor

/retest

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 4, 2025
@kaovilai kaovilai changed the title WIP: OADP-5777: auto region cred test OADP-5777: auto region cred test Aug 4, 2025
@kaovilai kaovilai marked this pull request as ready for review August 4, 2025 22:45
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 4, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 4, 2025
@kaovilai
Add tests for auto bucket region on priv/pubic bucket
aa14556 
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
@kaovilai kaovilai changed the title OADP-5777: auto region cred test OADP-5777: Document AWS HeadBucket API behavior for GetBucketRegion with anonymous credentials Oct 16, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 16, 2025
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-5777 which is a valid jira issue.

In response to this:

Why the changes were made

This PR documents the expected AWS behavior for the GetBucketRegion function using anonymous credentials, based on AWS Security's official response.

Background

We discovered that the AWS SDK's GetBucketRegion function works with anonymous credentials on both public and private S3 buckets, which appeared to contradict AWS documentation stating that s3:ListBucket permission is required for the HeadBucket API.

AWS Security Response

AWS Security has confirmed this is expected behavior, not a security vulnerability:

  • The HeadBucket API endpoint (used internally by GetBucketRegion) does not enforce s3:ListBucket permissions for retrieving bucket region information
  • This works for both public and private buckets with anonymous credentials
  • AWS Security Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg

Changes Made

  • Added clarifying comments in pkg/storage/aws/s3.go explaining this is expected AWS behavior
  • Updated test comments in pkg/storage/aws/s3_test.go to document the actual requirements
  • Included AWS Security engagement ID for future reference

How to test the changes made

Run the existing S3 region tests:

go test -v ./pkg/storage/aws/... -run TestGetBucketRegion

The tests demonstrate that GetBucketRegion successfully retrieves region information for both public and private buckets using anonymous credentials, confirming AWS's intended behavior.

Fixes: https://issues.redhat.com/browse/OADP-5777

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kaovilai @claude
OADP-5777: Add automatic S3 bucket region detection for AWS BSLs
36d2c17 
This commit adds automatic region detection for AWS S3 buckets in BackupStorageLocation
configurations when using actual AWS S3 (not S3-compatible storage).

Changes:
- Modified UpdateBackupStorageLocation in pkg/common/common.go to auto-detect
  and set the region when:
  * Provider is "aws"
  * No custom s3Url is configured (meaning it's real AWS S3)
  * No region is already specified in the config
  * A bucket name is provided in ObjectStorage

- The implementation uses aws.GetBucketRegion() which AWS Security confirmed
  works with anonymous credentials for both public and private buckets
  (Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg)

- Added comprehensive test cases to verify:
  * Region auto-detection is skipped when region is already specified
  * Region auto-detection is skipped for S3-compatible storage (with s3Url)
  * Region auto-detection works with real AWS bucket (tested with
    openshift-velero-plugin-s3-auto-region-test-1)

Benefits:
- Prevents configuration errors from incorrect region specifications
- Reduces manual configuration requirements for AWS BSLs
- Works seamlessly with existing anonymous credential approach

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@kaovilai kaovilai changed the title OADP-5777: Document AWS HeadBucket API behavior for GetBucketRegion with anonymous credentials OADP-5777: Add automatic S3 bucket region detection and document AWS HeadBucket API behavior Oct 16, 2025
kaovilai
kaovilai commented Oct 16, 2025
View reviewed changes
pkg/storage/aws/s3.go
// s3:ListBucket permissions for retrieving bucket region information.
// Reference: AWS Security response (Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg)
// This is expected AWS behavior, not a security vulnerability.
o.Credentials = credentials.NewStaticCredentialsProvider("anon-credentials", "anon-secret", "")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason we are using here is

  1. simplifies unit test.
  2. why not. it works for prod too.

@kaovilai @claude
OADP-5777: Fix E2E test to accept auto-detected region in BSL
b0cdbf6 
Update DoesBSLSpecMatchesDpa function to accept that DPA spec can have
an empty region while the deployed BSL has an auto-detected region.

The test now properly handles the scenario where:
- DPA spec doesn't specify a region
- No custom s3Url is configured (real AWS S3)
- The deployed BSL has an auto-detected region

This ensures the E2E test "DPA CR without Region, without S3ForcePathStyle
and with BackupImages false" passes with the new auto-detection feature.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@weshayutin
Copy link
Contributor

/test 4.19-e2e-test-aws

@openshift-ci
Copy link

openshift-ci bot commented Oct 17, 2025

@kaovilai: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci
Copy link

openshift-ci bot commented Oct 20, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, shubham-pampattiwar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [kaovilai,shubham-pampattiwar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shubham-pampattiwar shubham-pampattiwar shubham-pampattiwar approved these changes

@sseago sseago Awaiting requested review from sseago

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kaovilai @openshift-ci-robot @weshayutin @shubham-pampattiwar @openshift-merge-robot