ai: fix for irsa

snormore · snormore · commit fa8064fb029e · 2025-12-27T23:27:17.000-05:00
diff --git a/tools/dz-ai/internal/data/duck/config.go b/tools/dz-ai/internal/data/duck/config.go
@@ -13,11 +13,11 @@ import (
 )
 
 // LoadS3ConfigFromEnv loads S3 configuration from environment variables.
-// Supports both AWS S3 and MinIO configurations.
+// Supports both AWS S3 and MinIO configurations, including IRSA (IAM Roles for Service Accounts).
 //
 // Environment variables:
-//   - S3_ACCESS_KEY_ID or AWS_ACCESS_KEY_ID (required)
-//   - S3_SECRET_ACCESS_KEY or AWS_SECRET_ACCESS_KEY (required)
+//   - S3_ACCESS_KEY_ID or AWS_ACCESS_KEY_ID (optional, for IRSA leave unset to use IAM role)
+//   - S3_SECRET_ACCESS_KEY or AWS_SECRET_ACCESS_KEY (optional, for IRSA leave unset to use IAM role)
 //   - S3_ENDPOINT (optional, for MinIO: "http://localhost:9000")
 //   - S3_REGION or AWS_REGION (optional, defaults to "us-east-1")
 //   - S3_USE_SSL (optional, "true"/"false", auto-detected if S3_ENDPOINT is set)
@@ -30,23 +30,36 @@ import (
 // Otherwise, assumes AWS S3 and sets:
 //   - UseSSL: true
 //   - URLStyle: "virtual"
+//
+// For IRSA (IAM Roles for Service Accounts) in AWS EKS, leave both access key and secret
+// unset to use the IAM role credentials automatically.
 func LoadS3ConfigFromEnv() (*S3Config, error) {
 	// Get access key (try S3_ prefix first, then AWS_ prefix)
 	accessKeyID := os.Getenv("S3_ACCESS_KEY_ID")
 	if accessKeyID == "" {
 		accessKeyID = os.Getenv("AWS_ACCESS_KEY_ID")
 	}
-	if accessKeyID == "" {
-		return nil, nil // Not an error, just not configured
-	}
 
 	// Get secret key (try S3_ prefix first, then AWS_ prefix)
 	secretAccessKey := os.Getenv("S3_SECRET_ACCESS_KEY")
 	if secretAccessKey == "" {
 		secretAccessKey = os.Getenv("AWS_SECRET_ACCESS_KEY")
 	}
-	if secretAccessKey == "" {
-		return nil, fmt.Errorf("S3_ACCESS_KEY_ID or AWS_ACCESS_KEY_ID is set but S3_SECRET_ACCESS_KEY or AWS_SECRET_ACCESS_KEY is missing")
+
+	// If neither access key nor secret is set, return nil (not configured, will use IRSA/default credentials)
+	if accessKeyID == "" && secretAccessKey == "" {
+		return nil, nil // Not an error, just not configured - will use default AWS credentials chain (IRSA)
+	}
+
+	// If only secret is set without access key, that's an error
+	if accessKeyID == "" && secretAccessKey != "" {
+		return nil, fmt.Errorf("S3_SECRET_ACCESS_KEY or AWS_SECRET_ACCESS_KEY is set but S3_ACCESS_KEY_ID or AWS_ACCESS_KEY_ID is missing")
+	}
+
+	// If only access key is set without secret, that's also an error (inconsistent state)
+	// For IRSA, both should be unset to use IAM role credentials
+	if accessKeyID != "" && secretAccessKey == "" {
+		return nil, fmt.Errorf("S3_ACCESS_KEY_ID or AWS_ACCESS_KEY_ID is set but S3_SECRET_ACCESS_KEY or AWS_SECRET_ACCESS_KEY is missing (for IRSA, leave both unset)")
 	}
 
 	// Get endpoint (optional, for MinIO)
@@ -127,6 +140,10 @@ func EnsureMinIOBucket(ctx context.Context, log *slog.Logger, storageURI string,
 	}
 
 	// Create S3 client
+	// MinIO always requires explicit credentials
+	if s3Config.AccessKeyID == "" || s3Config.SecretAccessKey == "" {
+		return fmt.Errorf("MinIO requires both S3_ACCESS_KEY_ID and S3_SECRET_ACCESS_KEY to be set")
+	}
 	creds := credentials.NewStaticCredentialsProvider(
 		s3Config.AccessKeyID,
 		s3Config.SecretAccessKey,
@@ -181,12 +198,28 @@ func PrepareS3ConfigForStorageURI(ctx context.Context, log *slog.Logger, storage
 	}
 
 	// Load S3 config from environment variables
+	// If nil, that's OK - will use default AWS credentials chain (IRSA)
 	s3Config, err := LoadS3ConfigFromEnv()
 	if err != nil {
 		return nil, fmt.Errorf("failed to load S3 configuration: %w", err)
 	}
+	// If s3Config is nil, create a minimal config with just region for IRSA
 	if s3Config == nil {
-		return nil, fmt.Errorf("S3 storage URI specified but S3 configuration not found in environment variables (S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY required)")
+		region := os.Getenv("S3_REGION")
+		if region == "" {
+			region = os.Getenv("AWS_REGION")
+		}
+		if region == "" {
+			region = "us-east-1" // Default region
+		}
+		s3Config = &S3Config{
+			AccessKeyID:     "", // Empty for IRSA
+			SecretAccessKey: "", // Empty for IRSA
+			Endpoint:        "", // AWS S3
+			Region:          region,
+			UseSSL:          true,      // AWS S3 default
+			URLStyle:        "virtual", // AWS S3 default
+		}
 	}
 
 	// If using localhost MinIO, ensure the bucket exists
diff --git a/tools/dz-ai/internal/data/duck/lake.go b/tools/dz-ai/internal/data/duck/lake.go
@@ -171,7 +171,8 @@ func NewLake(ctx context.Context, log *slog.Logger, catalogName, catalogURI, sto
 			return nil, fmt.Errorf("failed to create storage directory: %w", err)
 		}
 	} else if strings.HasPrefix(storageURI, "s3://") {
-		// For S3 paths, we'll append the secret reference after creating the secret
+		// For S3 paths, we'll reference the secret after creating it
+		// The secret will be referenced in the DATA_PATH
 		storagePath = storageURI
 		useS3 = true
 	} else {
@@ -219,6 +220,9 @@ func NewLake(ctx context.Context, log *slog.Logger, catalogName, catalogURI, sto
 		}
 
 		// Create S3 secret
+		// For IRSA (no explicit credentials), DuckDB's httpfs extension will use the default
+		// AWS credentials chain via environment variables. We still create a secret with
+		// region and other settings, but omit KEY_ID and SECRET.
 		secretSQL := "CREATE SECRET IF NOT EXISTS s3_secret (TYPE s3"
 		if cfg.AccessKeyID != "" {
 			secretSQL += fmt.Sprintf(", KEY_ID '%s'", strings.ReplaceAll(cfg.AccessKeyID, "'", "''"))
@@ -239,22 +243,31 @@ func NewLake(ctx context.Context, log *slog.Logger, catalogName, catalogURI, sto
 		}
 		urlStyle := cfg.URLStyle
 		if urlStyle == "" {
-			urlStyle = "path" // Default to path style for MinIO compatibility
+			// Default based on whether it's AWS S3 or MinIO
+			if cfg.Endpoint == "" || strings.Contains(cfg.Endpoint, "amazonaws.com") {
+				urlStyle = "virtual" // AWS S3 default
+			} else {
+				urlStyle = "path" // MinIO default
+			}
 		}
 		secretSQL += fmt.Sprintf(", URL_STYLE '%s'", urlStyle)
 		useSSL := cfg.UseSSL
 		if cfg.Endpoint != "" && !strings.Contains(cfg.Endpoint, "amazonaws.com") {
 			// Default to false for non-AWS endpoints (like MinIO)
 			useSSL = false
+		} else if cfg.Endpoint == "" {
+			// AWS S3 default
+			useSSL = true
 		}
 		secretSQL += fmt.Sprintf(", USE_SSL %t", useSSL)
 		secretSQL += ")"
 
 		if _, err := db.Exec(secretSQL); err != nil {
 			return nil, fmt.Errorf("failed to create S3 secret: %w", err)
 		}
-		// Note: The S3 secret is created and should be used automatically by ducklake
-		// for S3 operations. The storagePath is passed as-is to DATA_PATH.
+		// DuckDB's ducklake extension should automatically use the s3_secret for S3 operations
+		// when the storage path is s3://. No need to reference it in the URI.
+		// For IRSA, the secret (without KEY_ID/SECRET) will use the default AWS credentials chain
 		log.Info("configured S3 storage", "endpoint", cfg.Endpoint, "region", cfg.Region)
 	}
 
@@ -280,7 +293,9 @@ func NewLake(ctx context.Context, log *slog.Logger, catalogName, catalogURI, sto
 				break
 			}
 			if i < maxRetries-1 {
-				log.Debug("postgres not ready, retrying attach", "attempt", i+1, "error", attachErr)
+				// Sanitize error message to prevent password leakage
+				errorMsg := sanitizeErrorForLogging(attachErr.Error())
+				log.Debug("postgres not ready, retrying attach", "attempt", i+1, "error", errorMsg)
 				// Use context-aware sleep to respect cancellation
 				timer := time.NewTimer(retryDelay)
 				select {
@@ -410,6 +425,74 @@ func validateStorageURI(uri string) error {
 	return fmt.Errorf("storage URI must start with file:// or s3:// (got: %q)", uri)
 }
 
+// sanitizeErrorForLogging redacts passwords and other sensitive information from error messages.
+func sanitizeErrorForLogging(errMsg string) string {
+	// Redact libpq format passwords (password=secret)
+	if strings.Contains(errMsg, "password=") {
+		// Handle patterns like "password=secret" or "password='secret'" in space-separated or quoted strings
+		parts := strings.Fields(errMsg)
+		var sanitizedParts []string
+		for _, part := range parts {
+			if strings.HasPrefix(part, "password=") {
+				// Extract the password value and redact it
+				if idx := strings.Index(part, "="); idx != -1 {
+					value := part[idx+1:]
+					// Remove quotes if present
+					value = strings.Trim(value, "'\"")
+					if value != "" {
+						sanitizedParts = append(sanitizedParts, "password=REDACTED")
+					} else {
+						sanitizedParts = append(sanitizedParts, part)
+					}
+				} else {
+					sanitizedParts = append(sanitizedParts, part)
+				}
+			} else {
+				sanitizedParts = append(sanitizedParts, part)
+			}
+		}
+		return strings.Join(sanitizedParts, " ")
+	}
+	// Redact postgres:// URIs with passwords
+	// Try to find postgres URIs and redact them using the existing function
+	if strings.Contains(errMsg, "postgres://") || strings.Contains(errMsg, "postgresql://") {
+		// For postgres URIs, try to extract and redact them
+		// Look for patterns like "postgres://user:pass@host" or "postgresql://user:pass@host"
+		// This is a simple heuristic - if we find @ after the scheme, there's likely a password
+		if strings.Contains(errMsg, "@") {
+			// Try to find the URI boundaries and redact
+			// Simple approach: redact anything between :// and @ that contains :
+			// This handles "postgres://user:password@host" -> "postgres://user:REDACTED@host"
+			// Use a more careful approach with the existing RedactedCatalogURI if possible
+			// For now, use a simple pattern replacement
+			replaced := errMsg
+			// Find and replace postgres://user:pass@ patterns
+			for _, scheme := range []string{"postgres://", "postgresql://"} {
+				if idx := strings.Index(replaced, scheme); idx != -1 {
+					// Find the @ after the scheme
+					afterScheme := replaced[idx+len(scheme):]
+					if atIdx := strings.Index(afterScheme, "@"); atIdx != -1 {
+						// Check if there's a : before @ (indicating password)
+						credentials := afterScheme[:atIdx]
+						if strings.Contains(credentials, ":") {
+							// Split on : and redact the password part
+							credParts := strings.SplitN(credentials, ":", 2)
+							if len(credParts) == 2 {
+								redactedCreds := credParts[0] + ":REDACTED"
+								replaced = replaced[:idx+len(scheme)] + redactedCreds + afterScheme[atIdx:]
+								errMsg = replaced
+								break // Only process first occurrence
+							}
+						}
+					}
+				}
+			}
+			return replaced
+		}
+	}
+	return errMsg
+}
+
 // RedactedCatalogURI redacts sensitive information from catalog URIs for logging.
 // It redacts passwords from postgres:// URIs and libpq connection strings.
 func RedactedCatalogURI(uri string) string {
