Skip to content

sts: support access boundary in aws and gcp sts #240

Merged
sandeepvinayak merged 6 commits intosalesforce:mainfrom
sandeepvinayak:spal/sts-access-boundary
Jan 9, 2026
Merged

sts: support access boundary in aws and gcp sts #240
sandeepvinayak merged 6 commits intosalesforce:mainfrom
sandeepvinayak:spal/sts-access-boundary

Conversation

@sandeepvinayak
Copy link
Contributor

@sandeepvinayak sandeepvinayak commented Jan 8, 2026

Summary

< Provide a brief description of the changes in this PR >

Some conventions to follow

  1. add the module name as a prefix
    • for example: add a prefix: docstore: for document store module, blobstore for Blob Store module
  2. for a test only PR, add test:
  3. for a perf improvement only PR, add perf:
  4. for a refactoring only PR, add "refactor:"

@codecov-commenter
Copy link

codecov-commenter commented Jan 8, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 80.43478% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.15%. Comparing base (e355c22) to head (bad3bc7).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...ava/com/salesforce/multicloudj/sts/gcp/GcpSts.java 75.71% 10 Missing and 7 partials ⚠️
...ava/com/salesforce/multicloudj/sts/aws/AwsSts.java 82.97% 2 Missing and 6 partials ⚠️
...salesforce/multicloudj/sts/driver/AbstractSts.java 88.88% 0 Missing and 2 partials ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               main     #240      +/-   ##
============================================
- Coverage     83.20%   83.15%   -0.06%     
  Complexity       94       94              
============================================
  Files           150      150              
  Lines          8256     8368     +112     
  Branches        967      990      +23     
============================================
+ Hits           6869     6958      +89     
- Misses          933      945      +12     
- Partials        454      465      +11
Flag Coverage Δ
unittests 83.15% <80.43%> (-0.06%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sandeepvinayak sandeepvinayak force-pushed the spal/sts-access-boundary branch 2 times, most recently from 46d1cd7 to 1e4c34a Compare January 8, 2026 23:01
@sandeepvinayak sandeepvinayak force-pushed the spal/sts-access-boundary branch from 1e4c34a to 6ed7f97 Compare January 8, 2026 23:51
SriramGuduri
SriramGuduri reviewed Jan 9, 2026
View reviewed changes
sts/sts-aws/src/main/java/com/salesforce/multicloudj/sts/aws/AwsSts.java Outdated
*/
private String toJsonString(Map<String, Object> map) {
try {
return new ObjectMapper().writeValueAsString(map);
Copy link
Contributor

@SriramGuduri SriramGuduri Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should we use static initialised Constant ObjectMapper here ?

sts/sts-aws/src/main/java/com/salesforce/multicloudj/sts/aws/AwsSts.java
* Maps MultiCloudJ storage actions to AWS S3 actions.
* Example: "storage:GetObject" -> "s3:GetObject"
*/
private String convertPermissionToAction(String permission) {
Copy link
Contributor

@SriramGuduri SriramGuduri Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QQ:

  1. Can we expect non-storage related actions in permission string going forward ?
  2. Should we add a unsupported check for permission if it doesn't start with storage: ?

sts/sts-aws/src/main/java/com/salesforce/multicloudj/sts/aws/AwsSts.java
* Example: "storage://my-bucket" -> "arn:aws:s3:::my-bucket/*"
*/
private String convertResourceToArn(String resource) {
String bucketName = resource.substring("storage://".length());
Copy link
Contributor

@SriramGuduri SriramGuduri Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above: Should we strict prefix check "storage://" for resource string till we support other use cases ?

Copy link
Contributor Author

@sandeepvinayak sandeepvinayak Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very likely it won't be extended based on known use-cases. but I think it's good idea to add precondition until we add support, will add it.

@sandeepvinayak sandeepvinayak enabled auto-merge (squash) January 9, 2026 17:59
@sandeepvinayak sandeepvinayak merged commit 8157a56 into salesforce:main Jan 9, 2026
5 checks passed
This was referenced Jan 9, 2026
Merged
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LihaoLiuXs LihaoLiuXs LihaoLiuXs approved these changes

+1 more reviewer

@SriramGuduri SriramGuduri SriramGuduri left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sandeepvinayak @codecov-commenter @SriramGuduri @LihaoLiuXs