Greptile Summary

This PR centralizes AWS S3 role assumption configuration by moving the logic from individual call sites into the get_s3_client utility function. Previously, each caller of get_s3_client needed to explicitly pass the aws_s3_assume_role_arn from the configuration. Now, the get_s3_client function itself checks for a configured role ARN in CONFIG.credentials.get('storage', {}).get('aws_s3_assume_role_arn') and uses it as a fallback when no explicit assume_role_arn parameter is provided.

The change affects two key files: src/fides/api/tasks/storage.py where the hardcoded role assumption parameter is removed from the upload_to_s3 function, and src/fides/api/util/aws_util.py where the configuration lookup logic is added. This refactoring ensures consistent role assumption behavior across all S3 operations in the Fides application without requiring code changes at every usage point. The implementation maintains backward compatibility by giving precedence to explicitly passed assume_role_arn parameters over the configured default.

This change fits into the broader Fides architecture by centralizing AWS configuration management, which aligns with the privacy management framework's need for consistent and secure cloud storage operations. The modification supports deployment scenarios where a specific IAM role must be assumed for all S3 operations, allowing configuration through environment variables or the fides.toml config file.

PR Description Notes:

• The "Code Changes" and "Steps to Confirm" sections are incomplete with placeholder text
• The pre-merge checklist is entirely unchecked

Important Files Changed

Confidence score: 4/5

• This PR is safe to merge with minimal risk as it centralizes existing functionality without changing core behavior
• Score reflects clean refactoring with maintained backward compatibility and consistent error handling patterns
• Pay close attention to aws_util.py to ensure the configuration precedence logic works as intended

Sequence Diagram

sequenceDiagram
    participant User
    participant "upload_to_s3" as Upload
    participant "get_s3_client" as S3Client
    participant "get_aws_session" as AWSSession
    participant "get_assumed_role_session" as AssumeRole
    participant "AWS STS" as STS
    participant "AWS S3" as S3

    User->>Upload: "upload_to_s3(storage_secrets, data, bucket_name, file_key, resp_format, privacy_request, document, auth_method)"
    Upload->>S3Client: "get_s3_client(auth_method, storage_secrets)"
    S3Client->>AWSSession: "get_aws_session(auth_method, storage_secrets, assume_role_arn)"
    
    alt auth_method == SECRET_KEYS
        AWSSession->>AWSSession: "Create session with access keys"
    else auth_method == AUTOMATIC
        AWSSession->>AWSSession: "Create automatic session"
    end
    
    AWSSession->>STS: "get_caller_identity()"
    STS-->>AWSSession: "Valid credentials confirmed"
    
    alt assume_role_arn exists
        AWSSession->>AssumeRole: "get_assumed_role_session(assume_role_arn, sts_client, region_name)"
        AssumeRole->>STS: "assume_role(RoleArn, RoleSessionName)"
        STS-->>AssumeRole: "Temporary credentials"
        AssumeRole->>AssumeRole: "Create session with temp credentials"
        AssumeRole-->>AWSSession: "Assumed role session"
    end
    
    AWSSession-->>S3Client: "AWS session"
    S3Client->>S3Client: "Create S3 client with signature v4 config"
    S3Client-->>Upload: "S3 client"
    
    Upload->>Upload: "write_to_in_memory_buffer(resp_format, data, privacy_request)"
    Upload->>S3: "upload_fileobj(Fileobj, Bucket, Key)"
    S3-->>Upload: "Upload complete"
    
    Upload->>S3: "create_presigned_url_for_s3(s3_client, bucket_name, file_key)"
    S3-->>Upload: "Presigned URL"
    Upload-->>User: "Presigned URL"

_{2 files reviewed, no comments}

_{Edit Code Review Bot Settings | Greptile}

👍