Skip to content

Fix #2685 [BUG] S3 block spilling no longer passes request headers #3101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Trianz-Akshay wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Fix #2685 [BUG] S3 block spilling no longer passes request headers #3101

Trianz-Akshay wants to merge 4 commits into from

Conversation

@Trianz-Akshay
Copy link
Contributor

@Trianz-Akshay Trianz-Akshay commented Nov 5, 2025
edited
Loading

Issue #, if available:
#2685

Description of changes:

This PR fixes issue #2685 where spill_put_request_headers configuration was incorrectly being set as object metadata instead of request headers on S3 PutObject requests. This caused SSE-KMS encryption headers to not appear in CloudTrail requestParameters, breaking encryption requirements and audit logging.

Problem

In versions >= v2024.42.1, the spill_put_request_headers environment variable values were being set as object metadata using .metadata() instead of request headers. This meant:

  • SSE-KMS headers (x-amz-server-side-encryption, x-amz-server-side-encryption-aws-kms-key-id) were not sent as request parameters
  • CloudTrail logs showed headers missing from requestParameters (they only appeared in responseElements)

Solution

Changed S3BlockSpiller.write() to use AwsRequestOverrideConfiguration to set headers as request headers via .overrideConfiguration() instead of .metadata().

Test Document:
Bug_Fix_2685.docx

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@amazon-inspector-n-virginia
Copy link

amazon-inspector-n-virginia bot commented Nov 5, 2025

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

1 similar comment
@amazon-inspector-n-virginia
Copy link

amazon-inspector-n-virginia bot commented Nov 5, 2025

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

@amazon-inspector-n-virginia
Copy link

amazon-inspector-n-virginia bot commented Nov 5, 2025

✅ I finished the code review, and didn't find any security or code quality issues.

1 similar comment
@amazon-inspector-n-virginia
Copy link

amazon-inspector-n-virginia bot commented Nov 5, 2025

✅ I finished the code review, and didn't find any security or code quality issues.

@Trianz-Akshay Trianz-Akshay force-pushed the S3_block_spilling_request_headers_bug_2685 branch from 4572d26 to 3ca2f46 Compare November 5, 2025 11:13
@codecov
Copy link

codecov bot commented Nov 5, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.35%. Comparing base (fe0a5d9) to head (bac649c).
⚠️ Report is 110 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff              @@
##             master    #3101      +/-   ##
============================================
+ Coverage     63.67%   68.35%   +4.68%     
- Complexity     4344     5009     +665     
============================================
  Files           621      636      +15     
  Lines         23286    24170     +884     
  Branches       2859     3000     +141     
============================================
+ Hits          14827    16522    +1695     
+ Misses         7070     6210     -860     
- Partials       1389     1438      +49

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

AbdulR3hman
AbdulR3hman requested changes Nov 26, 2025
View reviewed changes
...-federation-sdk/src/main/java/com/amazonaws/athena/connector/lambda/data/S3BlockSpiller.java Outdated
/**
* Creates an AwsRequestOverrideConfiguration with custom headers from the environment
*/
private AwsRequestOverrideConfiguration createRequestOverrideConfig()
Copy link
Contributor

@AbdulR3hman AbdulR3hman Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return an optional here is better than nulls.

Copy link
Contributor Author

@Trianz-Akshay Trianz-Akshay Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion. Updated the code to return an Optional instead of null.

@Trianz-Akshay Trianz-Akshay force-pushed the S3_block_spilling_request_headers_bug_2685 branch from 81e8dcb to 195bbcb Compare November 27, 2025 11:55
@Trianz-Akshay Trianz-Akshay force-pushed the S3_block_spilling_request_headers_bug_2685 branch from 195bbcb to bac649c Compare December 5, 2025 05:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AbdulR3hman AbdulR3hman AbdulR3hman requested changes

@chngpe chngpe Awaiting requested review from chngpe

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Trianz-Akshay @AbdulR3hman