HADOOP-19535: S3A: Support WebIdentityTokenFileCredentialsProvider

Support authentication through WebIdentityTokenFileCredentialsProvider,

Syed Shameerur Rahman

Author: shameersss1

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/AWSCredentialProviderList.java

@@ -198,6 +198,16 @@ public AwsCredentials resolveCredentials() {
         lastException = e;
         LOG.debug("No credentials provided by {}: {}",
             provider, e.toString(), e);
+      } catch (Exception e) {
+        // convert any other exception into SDKException.
+        // This is required because some credential provider like
+        // WebIdentityTokenFileCredentialsProvider might throw
+        // exceptions other than SdkException.
+        if (e.getMessage() != null) {
+          lastException = SdkException.create(e.getMessage(), e);
+        }
+        LOG.debug("No credentials provided by {}: {}",
+            provider, e.toString(), e);
       }
     }
 

hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/authentication.md

@@ -184,6 +184,7 @@ There are also many in the Amazon SDKs, with the common ones being as follows
 | `software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider` | AWS Environment Variables    |
 | `software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider`     | EC2 Metadata Credentials     |
 | `software.amazon.awssdk.auth.credentials.ContainerCredentialsProvider`           | EC2/k8s Metadata Credentials |
+| `software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider`| K8s Metadata Credentials     |
 
 
 

hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/TestS3AAWSCredentialsProvider.java

@@ -187,6 +187,23 @@ public void testDefaultChain() throws Exception {
     assertCredentialProviders(expectedClasses, list2);
   }
 
+  @Test
+  public void testNonSdkExceptionConversion() throws Throwable {
+    // Create a mock credential provider that throws a non-SDK exception
+    AwsCredentialsProvider mockProvider = () -> {
+      throw new RuntimeException("Test credential error");
+    };
+
+    // Create the provider list with our mock provider
+    AWSCredentialProviderList providerList =
+        new AWSCredentialProviderList(Collections.singletonList(mockProvider));
+
+    // Attempt to get credentials, which should trigger the exception
+    intercept(NoAuthWithAWSException.class,
+        "No AWS Credentials provided",
+        () -> providerList.resolveCredentials());
+  }
+
   @Test
   public void testDefaultChainNoURI() throws Exception {
     Configuration conf = new Configuration(false);