[request]: Anonymous Credentials Provider

[seddonm1]

Community Note

Please upvote this issue by reacting with 👍🏻 to help us prioritize!

Tell us about your request

The Java SDK has an Anonymous Credentials Provider (https://github.com/aws/aws-sdk-java-v2/blob/master/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AnonymousCredentialsProvider.java) which allows accessing AWS Open Data like (https://registry.opendata.aws/nyc-tlc-trip-records-pds/) without having to provide credentials (see aws s3 ls s3://nyc-tlc/ --no-sign-request)

There does not appear to be an equivalent for the Rust SDK.

Tell us about the problem you're trying to solve.

Access AWS Open Data, e.g. https://registry.opendata.aws/nyc-tlc-trip-records-pds/

Are you currently working around this issue?

No workaround.

Additional context

No response

[rcoh]

yeah that's correct. We actually considered the anonymous credentials route but it causes a lot of internal complexity because you now need to validate that every credential actually has credentials inside. I'm going to investigate how other SDKs handle this issue. We do support unauthenticated requests in the low-level client. SSO, for example, models certain requests as unauthenticated. I think we'll be able to build an ergonomic interface for this, potentially by adding an unauthenticated() method to the builder, eg.

As a (admittedly, not ergonomic workaround), you can use the low level client and augment the property bag:

use aws_sdk_s3::operation::ListObjectsV2;
use aws_sdk_s3::Credentials;
use aws_sig_auth::signer::OperationSigningConfig;
use aws_sig_auth::signer::SigningRequirements;
use aws_smithy_http::operation::Operation;

#[tokio::main]
async fn main() {
    let conf = aws_config::from_env()
        .credentials_provider(Credentials::new("stub", "stub", None, None, "faked"))
        .region("us-east-1")
        .load()
        .await;
    let conf = aws_sdk_s3::Config::new(&conf);
    let client = aws_smithy_client::Builder::dyn_https()
        .middleware(aws_sdk_s3::middleware::DefaultMiddleware::new())
        .build();
    let mut operation = ListObjectsV2::builder()
        .bucket("nyc-tlc")
        .build()
        .unwrap()
        .make_operation(&conf)
        .await
        .unwrap();
    make_unsigned(&mut operation);
    let resp = client
        .call(operation)
        .await
        .expect("request should succeed");
    for obj in resp.contents().unwrap_or_default() {
        println!("{}", obj.key().unwrap_or_default());
    }
}

// this function will work on any S3 operation
fn make_unsigned<I, R>(operation: &mut Operation<I, R>) {
    let mut props = operation.properties_mut();
    let mut signing_config = props
        .get_mut::<OperationSigningConfig>()
        .expect("has signing_config");
    signing_config.signing_requirements = SigningRequirements::Disabled;
}

[seddonm1]

Thank you for your thorough response @rcoh and I appreciate you providing a workaround.

I hope you are able to work out (as you say) a more ergonomic answer than this and potentially add it to the default credentials chain even if this is not necessarily a common requirement.

[Xuanwo]

Maybe we can change signing_config.signing_requirements in the DefaultMiddleware so that we don't need to make_unsigned for every operation.

[Xuanwo]

Hello, everyone here, I got it works via middleware: apache/opendal#97

No need to operate on a low-level request, everything works.

@rcoh Can you take a look at this PR? I'm willing to submit a PR back to aws-sdk-rust if there is an actionable route.

[Velfi]

@Xuanwo Thanks for coming up with that suggestion. We'll take a look when we're able and get back to you.

[Velfi]

This will soon be slightly easier to do pending the release of the changes from smithy-rs#1647:

#[tokio::main]
async fn main() {
    let conf = aws_config::load_from_env().await;
    let client = aws_sdk_s3::Client::new(&conf);
    let res = client
        .list_objects_v2()
        .bucket("genome-browser")
        .customize()
        .await
        .unwrap()
        .map_operation(make_unsigned)
        .unwrap()
        .send()
        .await
        .expect("request should succeed");

    for obj in res.contents().unwrap_or_default() {
        println!("{}", obj.key().unwrap_or_default());
    }
}

fn make_unsigned<O, Retry>(
    mut operation: aws_smithy_http::operation::Operation<O, Retry>,
) -> Result<aws_smithy_http::operation::Operation<O, Retry>, std::convert::Infallible> {
    {
        let mut props = operation.properties_mut();
        let mut signing_config = props
            .get_mut::<aws_sig_auth::signer::OperationSigningConfig>()
            .expect("has signing_config");
        signing_config.signing_requirements = aws_sig_auth::signer::SigningRequirements::Disabled;
    }

    Ok(operation)
}

The "Customizable Operations" feature will ship with versions 0.49.0/0.19.0 which will (famous last words) probably arrive some time next week.

[seddonm1]

Thank you @Velfi . We can probably close this issue then?

[jdisanti]

We can probably close this issue then?

Keeping this open because it seems like there should be an easier way to do this.

[jdisanti]

The aws-config now has a no_credentials() method on it to specify anonymous auth. If you're not using aws-config, then you can have the same behavior by not setting a credentials provider for services that support it.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.