- implements IRSA inherit when we provide different serviceAccount and assume_role_arn in s3 config section, fix #1191

Slach · Slach · commit dd56d4ed8df6 · 2025-07-31T12:31:09.000+04:00
- add object labels configs to e2e integration tests

Signed-off-by: Slach &lt;bloodjazman@gmail.com&gt;
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,3 +1,8 @@
+# v2.6.31
+IMPROVEMENTS
+- implements IRSA inherit when we provide different serviceAccount and `assume_role_arn` in `s3` config section, fix [1191](https://github.com/Altinity/clickhouse-backup/issues/1191)
+- add object labels configs to e2e integration tests
+
 # v2.6.30
 IMPROVEMENTS
 - add in REST API `operation_id` to result for all asynchronous commands (`create`,`upload`,`download`,`restore`) which allow poll /backup/status more precise, fix [1189](https://github.com/Altinity/clickhouse-backup/pull/1189), thanks @lepetitops
diff --git a/pkg/storage/s3.go b/pkg/storage/s3.go
@@ -135,6 +135,11 @@ func (s *S3) Connect(ctx context.Context) error {
 		awsConfig.Credentials = stscreds.NewWebIdentityRoleProvider(
 			stsClient, awsRoleARN, stscreds.IdentityTokenFile(awsWebIdentityTokenFile),
 		)
+		// inherit IRSA and try assume role https://github.com/Altinity/clickhouse-backup/issues/1191
+		if s.Config.AssumeRoleARN != "" && s.Config.AssumeRoleARN != awsRoleARN {
+			stsClient = sts.NewFromConfig(awsConfig)
+			awsConfig.Credentials = stscreds.NewAssumeRoleProvider(stsClient, s.Config.AssumeRoleARN)
+		}
 	} else if s.Config.AssumeRoleARN != "" {
 		// backup role S3_ASSUME_ROLE_ARN have high priority than AWS_ROLE_ARN see https://github.com/Altinity/clickhouse-backup/issues/898
 		awsConfig.Credentials = stscreds.NewAssumeRoleProvider(stsClient, s.Config.AssumeRoleARN)
diff --git a/test/integration/config-gcs-custom-endpoint.yml b/test/integration/config-gcs-custom-endpoint.yml
@@ -26,3 +26,5 @@ gcs:
   compression_format: tar
   endpoint: http://gcs:8080/storage/v1/
   skip_credentials: true
+  object_labels:
+    label: label_value
diff --git a/test/integration/config-gcs.yml b/test/integration/config-gcs.yml
@@ -18,3 +18,5 @@ gcs:
   object_disk_path: object_disks/{cluster}/{shard}
   credentials_file: /etc/clickhouse-backup/credentials.json
   compression_format: tar
+  object_labels:
+    label: label_value
diff --git a/test/integration/config-s3.yml b/test/integration/config-s3.yml
@@ -40,6 +40,8 @@ s3:
   allow_multipart_download: true
   concurrency: 3
   request_payer: requester
+  object_labels:
+    label: label_value
 api:
   listen: :7171
   create_integration_tables: true
