Add RoleARN to handle both upload and download S3 transfers (!5246) · Merge requests · GitLab.org / gitlab-runner · GitLab

What does this MR do?

Previously UploadRoleARN was used to assume a role to upload files. However, there are a number of reasons to do this on the download as well:

Faster transfers, as the AWS SDK v2 supports multipart downloads.
Simplifies AWS workload identity support. Previously the eks.amazonaws.com/role-arn annotation would be needed on both the runner manager and the runner config.

Why was this MR needed?

Users found that while UploadRoleARN increase CI cache uploads significantly, downloads took too long and timed out.

What's the best way to test this MR?

Following the instructions for setting up an S3 cache with UploadRoleARN in https://docs.gitlab.com/runner/configuration/advanced-configuration.html#enable-multipart-uploads-with-uploadrolearn, except create an AWS IAM role with permissions with both s3:PutObject and s3:GetObject.
Set RoleARN instead of UploadRoleARN.
Run a CI job with a cache set.

What are the relevant issue numbers?

See #26921 (closed).

Edited Dec 26, 2024 by Stan Hu