Fix AWS transfer manager anonymous fallback (#6296) [ci fast]

Signed-off-by: jorgee <[email protected]>
Signed-off-by: Paolo Di Tommaso <[email protected]>
Co-authored-by: Paolo Di Tommaso <[email protected]>

Author: jorgee

plugins/nf-amazon/src/main/nextflow/cloud/aws/AwsClientFactory.groovy

@@ -24,9 +24,7 @@ import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials
 import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider
-import software.amazon.awssdk.awscore.defaultsmode.DefaultsMode
 import software.amazon.awssdk.core.client.config.ClientOverrideConfiguration
-import software.amazon.awssdk.core.client.config.SdkAdvancedClientOption
 import software.amazon.awssdk.core.exception.SdkClientException
 import software.amazon.awssdk.http.SdkHttpClient
 import software.amazon.awssdk.regions.Region
@@ -48,7 +46,6 @@ import groovy.transform.Memoized
 import groovy.util.logging.Slf4j
 import nextflow.SysEnv
 import nextflow.cloud.aws.config.AwsConfig
-import nextflow.cloud.aws.util.S3CredentialsProvider
 import nextflow.exception.AbortOperationException
 /**
  * Implement a factory class for AWS client objects
@@ -217,7 +214,7 @@ class AwsClientFactory {
         final ClientOverrideConfiguration overrideConfiguration = s3ClientConfig.getClientOverrideConfiguration()
         final builder = S3Client.builder()
             .crossRegionAccessEnabled(global)
-            .credentialsProvider(config.s3Config.anonymous ? AnonymousCredentialsProvider.create() : new S3CredentialsProvider(getCredentialsProvider0()))
+            .credentialsProvider(getS3CredentialsProvider())
             .serviceConfiguration(S3Configuration.builder()
                 .pathStyleAccessEnabled(config.s3Config.pathStyleAccess)
                 .multiRegionEnabled(global)
@@ -241,7 +238,7 @@ class AwsClientFactory {
     S3AsyncClient getS3AsyncClient(S3AsyncClientConfiguration s3ClientConfig, boolean global = false) {
         def builder = S3AsyncClient.crtBuilder()
             .crossRegionAccessEnabled(global)
-            .credentialsProvider(config.s3Config.anonymous ? AnonymousCredentialsProvider.create() : new S3CredentialsProvider(getCredentialsProvider0()))
+            .credentialsProvider(getS3CredentialsProvider())
             .forcePathStyle(config.s3Config.pathStyleAccess)
             .region(getRegionObj(region))
         if( config.s3Config.endpoint )
@@ -273,6 +270,35 @@ class AwsClientFactory {
 
         return builder.build()
     }
+    /**
+     * Returns an AwsCredentialsProvider for S3 clients.
+     *
+     * This method wraps the same AWS credentials used for other clients, but ensures proper handling of anonymous S3 access.
+     * If the 'anonymous' flag is set in Nextflow's AWS S3 configuration, or if no credentials are resolved by other providers,
+     * an AnonymousCredentialsProvider instance is returned.
+     *
+     * Prior to AWS SDK v2, the S3CredentialsProvider automatically managed fallback to anonymous access when no credentials were found.
+     * However, due to a limitation in the AWS SDK v2 CRT Async S3 client (see https://github.com/aws/aws-sdk-java-v2/issues/5810),
+     * anonymous credentials only work when explicitly configured via AnonymousCredentialsProvider.
+     * Custom credential providers or provider chains that resolve to anonymous credentials are not handled correctly by the CRT client.
+     *
+     * To work around this, this method explicitly checks whether credentials can be resolved.
+     * If no credentials are found, it returns an AnonymousCredentialsProvider; otherwise, it returns the resolved provider.
+     *
+     * @return an AwsCredentialsProvider instance, falling back to anonymous if needed.
+     */
+    private AwsCredentialsProvider getS3CredentialsProvider() {
+        if ( config.s3Config.anonymous )
+            return AnonymousCredentialsProvider.create()
+        def provider = getCredentialsProvider0()
+        try {
+            provider.resolveCredentials()
+        } catch (Exception e) {
+            log.debug("No AWS credentials available - falling back to anonymous access")
+            return AnonymousCredentialsProvider.create()
+        }
+        return provider
+    }
 
     private void setMultipartConfiguration(MultipartConfiguration multipartConfig, S3CrtAsyncClientBuilder builder) {
         if( multipartConfig.minimumPartSizeInBytes() != null )

plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3Client.java

@@ -103,7 +103,7 @@ private String fetchCallerAccount(){
 				return null;
 			return getBucketAcl(buckets.get(0).name()).owner().id();
 		}catch (Throwable e){
-			log.debug("Exception fetching caller account", e);
+			log.debug("Unable to fetch caller account - {} ", e.getMessage());
 			return null;
 		}
 	}