Contrib.social

Can't use default credential provider without API key/secret

Open on Drupal.org β†’
Created on 28 February 2025, about 1 month ago

Problem/Motivation

When saving the server configuration without API key & secret, it is expected to fallback to the CredentialProvider::defaultProvider(). However the condition to check the API credentials do not check the value, it uses the empty value instead of fallback.

Steps to reproduce

1. Create a new server without API key & secret
2. Make sure the server is configured to have credentials (e.g. ECS has a file with key, secret)
3. Try to connect to the server.
Expected,
4. The credentials pulled from server
Actual
4. The empty fields are used as credentials.

Proposed resolution

Fix condition, so that we use credentials from default provider, if not set in server config

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Active

Version

2.0

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom vijaycs85 London, UK

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @vijaycs85
  • Comment about 1 month ago β†’
    πŸ‡¦πŸ‡ΊAustralia kim.pepper πŸ„β€β™‚οΈπŸ‡¦πŸ‡ΊSydney, Australia

    Thanks for reporting @vijaycs85

    Can you please confirm the versions of search_api_opensearch and opensearch-project/opensearch-php you are using?

  • Comment about 1 month ago β†’
    πŸ‡¬πŸ‡§United Kingdom vijaycs85 London, UK

    Can you please confirm the versions of search_api_opensearch and opensearch-project/opensearch-php you are using?

    drupal/search_api_opensearch:      2.x-dev 
opensearch-project/opensearch-php: 2.4.2
  • Comment about 1 month ago β†’
    πŸ‡¦πŸ‡ΊAustralia kim.pepper πŸ„β€β™‚οΈπŸ‡¦πŸ‡ΊSydney, Australia

    I think this is due to not checking for empty strings when passing the credentials options.

    I'm going to postpone this one on πŸ“Œ Use \OpenSearch\Aws\SigningClientFactory Active which changes how we create the signing client.

  • Comment about 1 month ago β†’
    πŸ‡¦πŸ‡ΊAustralia kim.pepper πŸ„β€β™‚οΈπŸ‡¦πŸ‡ΊSydney, Australia

    @vijaycs85 would be great if you could test out πŸ“Œ Use \OpenSearch\Aws\SigningClientFactory Active and see if it fixes your issues before we commit it.

  • Comment 26 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia kim.pepper πŸ„β€β™‚οΈπŸ‡¦πŸ‡ΊSydney, Australia

    πŸ“Œ Use \OpenSearch\Aws\SigningClientFactory Active is in so this is unblocked.

  • Comment 25 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia kim.pepper πŸ„β€β™‚οΈπŸ‡¦πŸ‡ΊSydney, Australia

    I think this was fixed in πŸ“Œ Use \OpenSearch\Aws\SigningClientFactory Active with this code:

        // Set credentials if provided, otherwise fall back to defaults.
    if ('' !== $this->configuration['api_key'] && '' !== $this->configuration['api_secret']) {
      $options['auth_aws']['credentials'] = [
        'access_key' => $this->configuration['api_key'],
        'secret_key' => $this->configuration['api_secret'],
      ];
    }

    Because this uses logic in the library, we can only check to see if the 'credentials' array key gets set. See https://github.com/opensearch-project/opensearch-php/blob/main/src/OpenS... 

    // Check for provided access key and secret.
        if (isset($options['credentials'])) {
            return CredentialProvider::fromCredentials(
                new Credentials(
                    $options['credentials']['access_key'] ?? '',
                    $options['credentials']['secret_key'] ?? '',
                    $options['credentials']['session_token'] ?? null,
                )
            );
        }

        // Fallback to the default provider.
        return CredentialProvider::defaultProvider();

    Are you able to manually test this now? If there are issues with the opensearch-php library, feel free to create an issue there too.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024