From ac1e1e20513ea9dcc7281eeeb2b6c033e611ac1f Mon Sep 17 00:00:00 2001
From: Tiger Kaovilai <tkaovila@redhat.com>
Date: Mon, 4 Aug 2025 18:47:24 -0400
Subject: [PATCH] Add tests for auto bucket region on priv/pubic bucket

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
---
 go.mod                     |  4 ++--
 pkg/storage/aws/s3.go      |  8 +++++---
 pkg/storage/aws/s3_test.go | 20 ++++++++++++++++++++
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/go.mod b/go.mod
index af668da863..953f5e51ad 100644
--- a/go.mod
+++ b/go.mod
@@ -31,8 +31,8 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1
-	github.com/aws/aws-sdk-go-v2 v1.30.3
 	github.com/aws/aws-sdk-go-v2/config v1.26.3
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.26
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.11
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0
 	github.com/deckarep/golang-set/v2 v2.3.0
@@ -60,8 +60,8 @@ require (
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.26 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
diff --git a/pkg/storage/aws/s3.go b/pkg/storage/aws/s3.go
index 3a7d25b417..e8fb6e4722 100644
--- a/pkg/storage/aws/s3.go
+++ b/pkg/storage/aws/s3.go
@@ -6,8 +6,8 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/feature/s3/manager"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go/aws/request"
@@ -32,12 +32,14 @@ func GetBucketRegion(bucket string) (string, error) {
 	// Also set to use anonymous credentials. If the bucket is private, this function would not work unless we modify it to take credentials.
 	cfg, err := config.LoadDefaultConfig(context.Background(),
 		config.WithRegion("us-east-1"), // This is not default region being used, this is to specify a region hinting server that we will use to get region from.
-		config.WithCredentialsProvider(aws.AnonymousCredentials{}),
 	)
 	if err != nil {
 		return "", err
 	}
-	region, err = manager.GetBucketRegion(context.Background(), s3.NewFromConfig(cfg), bucket)
+	region, err = manager.GetBucketRegion(context.Background(), s3.NewFromConfig(cfg), bucket, func(o *s3.Options) {
+		// TODO: get creds from bsl
+		o.Credentials = credentials.NewStaticCredentialsProvider("anon-credentials", "anon-secret", "") // this works with private buckets.. why? supposed to require cred with s3:ListBucket https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
+	})
 	if region != "" {
 		return region, nil
 	}
diff --git a/pkg/storage/aws/s3_test.go b/pkg/storage/aws/s3_test.go
index 4843808034..12d8af9f53 100644
--- a/pkg/storage/aws/s3_test.go
+++ b/pkg/storage/aws/s3_test.go
@@ -14,12 +14,31 @@ func TestGetBucketRegion(t *testing.T) {
 		wantErr bool
 	}{
 		{
+			// Public bucket should work anonymously, policy below
+			// {
+			// 	"Version": "2012-10-17",
+			// 	"Statement": [
+			// 		{
+			// 			"Sid": "publicList",
+			// 			"Effect": "Allow",
+			// 			"Principal": "*",
+			// 			"Action": "s3:ListBucket",
+			// 			"Resource": "arn:aws:s3:::openshift-velero-plugin-s3-auto-region-test-1"
+			// 		}
+			// 	]
+			// }
+			// ❯ aws s3api head-bucket --bucket openshift-velero-plugin-s3-auto-region-test-1 --no-sign-request
+			// {
+			//     "BucketRegion": "us-east-1",
+			//     "AccessPointAlias": false
+			// }
 			name:    "openshift-velero-plugin-s3-auto-region-test-1",
 			bucket:  "openshift-velero-plugin-s3-auto-region-test-1",
 			region:  "us-east-1",
 			wantErr: false,
 		},
 		{
+			// Private bucket do not require creds per email with AWS, not a concern
 			name:    "openshift-velero-plugin-s3-auto-region-test-2",
 			bucket:  "openshift-velero-plugin-s3-auto-region-test-2",
 			region:  "us-west-1",
@@ -42,6 +61,7 @@ func TestGetBucketRegion(t *testing.T) {
 			bucket:  "velero-6109f5e9711c8c58131acdd2f490f451",
 			region:  "us-east-1",
 			wantErr: false,
+			// TODO: add creds usage here.
 		},
 	}
 	for _, tt := range tests {