Skip to content

Use session variables to set object store credentials. #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Use session variables to set object store credentials. #162

wants to merge 2 commits into from

Conversation

@HarshDaryani896
Copy link

@HarshDaryani896 HarshDaryani896 commented Sep 18, 2025

Description:

This PR adds PostgreSQL session variables to enable client-side credential management for AWS S3 and Google Cloud Storage, shifting credential control from server administrators to individual clients and applications.

  1. AWS S3 Session Variables
  • pg_parquet.aws_access_key_id - AWS access key ID
  • pg_parquet.aws_secret_access_key - AWS secret access key
  • pg_parquet.aws_session_token - AWS session token (for temporary credentials)
  • pg_parquet.aws_region - AWS region for S3 operations
  • pg_parquet.aws_endpoint_url - Custom endpoint for S3-compatible storage
  1. Google Cloud Storage Session Variables
  • pg_parquet.google_service_account_key - Service account key as JSON string

This PR is still work in progress. Will be adding similar session variables for azure as well.

I have created this for early feedback about the approach and implementation.

Closes: #161 and #129

@HarshDaryani896
Copy link
Author

HarshDaryani896 commented Sep 29, 2025

@pgguru @aykut-bozkurt Hi , just wanted to check if you’ve had a chance to look at this PR. Let me know if I should adjust anything to help move it forward!

@aykut-bozkurt
Copy link
Member

aykut-bozkurt commented Oct 10, 2025
edited
Loading

Thanks for the idea @HarshDaryani896
I think we should not set secrets via GUCs, which might show at logs or anywhere (e.g. stat activity). Instead, we might consider below GUCs for config files, which covers all settings via sdks by default.
for aws => pg_parquet.aws_config_name and pg_parquet.aws_profile
for azure => pg_parquet.azure_config_name
for gcs => pg_parquet.gcs_config_name

We can have superuser GUCs like pg_parquet.aws_config_base_path (e.g. /tmp/.aws/) , pg_parquet.azure_config_base_path (e.g. /tmp/.azure/) and pg_parquet.gcs_config_base_path (e.g. /tmp/.gcs/)

Then, we can let sdks read config from e.g. <pg_parquet.aws_config_base_path>/<pg_parquet.aws_config_base_path>

By default, all gucs should be unset.

@HarshDaryani896
Copy link
Author

HarshDaryani896 commented Oct 14, 2025

@aykut-bozkurt Thanks for the response.
With the approach you have suggested, the users will be able to set the path of the config file from client side but the config files would still need to be present on the server machine.

We are currently evaluating some other approaches which can overcome the credential visibility issue of the current GUC approach.
Will update the PR soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add session variables for object store credentials configuration.

2 participants

@HarshDaryani896 @aykut-bozkurt