Use static AWS credentials for elasticsearch indexer if set
What does this MR do and why?
A customer using OpenSearch for Advanced Search is getting this error
"exception.class":"Aws::STS::Errors::AccessDenied",
"exception.message":"Not authorized to perform sts:AssumeRoleWithWebIdentity",
"exception.backtrace":[
"ee/lib/gitlab/elastic/client.rb:78:in `block in aws_credential_provider'",
"ee/lib/gitlab/elastic/client.rb:77:in `aws_credential_provider'",
"ee/lib/gitlab/elastic/indexer.rb:214:in `build_aws_credentials_env'",
"ee/lib/gitlab/elastic/indexer.rb:150:in `build_envvars'",
"ee/lib/gitlab/elastic/indexer.rb:102:in `run_indexer!'",
"ee/lib/gitlab/elastic/indexer.rb:76:in `block in run'",
"ee/lib/gitlab/elastic/indexer.rb:57:in `each'",
Even when AWS credentials are set.
To fix, we should first check if static credentials are set and use that.
Fixes https://gitlab.com/gitlab-com/enablement-sub-department/section-enable-request-for-help/-/issues/80
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
-
On the Search admin page, set credentials in the OpenSearch (doesn't have to be valid credentials).
-
Add a puts in
ee/lib/gitlab/elastic/indexer.rb
line 153:puts vars
-
Run
Gitlab::Elastic::Indexer.new(Project.first).run
in a console -
See that the credentials you set are passed as ENV vars to the indexer