From 9367e04cf205bdc534a37caec857952c9285e9ce Mon Sep 17 00:00:00 2001
From: Adam Sachs <adam@ethyca.com>
Date: Thu, 3 Oct 2024 12:06:30 -0400
Subject: [PATCH 1/2] better handling of empty storage secrets in aws_util

---
 src/fides/api/util/aws_util.py               | 7 +++++--
 tests/ops/util/test_storage_authenticator.py | 4 +++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/fides/api/util/aws_util.py b/src/fides/api/util/aws_util.py
index 385b1cef56..c3c87a9093 100644
--- a/src/fides/api/util/aws_util.py
+++ b/src/fides/api/util/aws_util.py
@@ -10,7 +10,7 @@
 
 def get_aws_session(
     auth_method: str,
-    storage_secrets: Dict[StorageSecrets, Any],
+    storage_secrets: Optional[Dict[StorageSecrets, Any]],
     assume_role_arn: Optional[str] = None,
 ) -> Session:
     """
@@ -19,8 +19,11 @@ def get_aws_session(
     If an `assume_role_arn` is provided, the secrets will be used to
     assume that role and return a Session instantiated with that role.
     """
+    if storage_secrets is None:
+        # set to an empty dict to allow for more dynamic code downstream
+        storage_secrets = {}
     if auth_method == AWSAuthMethod.SECRET_KEYS.value:
-        if storage_secrets is None:
+        if not storage_secrets:
             err_msg = "Storage secrets not found for S3 storage."
             logger.warning(err_msg)
             raise StorageUploadError(err_msg)
diff --git a/tests/ops/util/test_storage_authenticator.py b/tests/ops/util/test_storage_authenticator.py
index ed26370a7a..c087351fd4 100644
--- a/tests/ops/util/test_storage_authenticator.py
+++ b/tests/ops/util/test_storage_authenticator.py
@@ -24,10 +24,12 @@ def tests_unsupported_storage_secret_type_error(self):
             )
 
     def tests_automatic_auth_method(self, loguru_caplog):
+        # credentials error raised by AWS since runtime doesn't have env credentials set up -
+        # but ensure we don't raise an exception from our own code in parsing.
         with pytest.raises(NoCredentialsError):
             get_aws_session(
                 AWSAuthMethod.AUTOMATIC.value,  # type: ignore
-                {StorageSecrets.AWS_ACCESS_KEY_ID: "aws_access_key_id"},
+                None,
             )
 
     def test_secrets_are_valid_bad_storage_type(self):

From acce076e897358b58784c06c55c9b57b9c2da0e5 Mon Sep 17 00:00:00 2001
From: Eliana Rosselli <eliana@ethyca.com>
Date: Tue, 8 Oct 2024 16:08:30 -0700
Subject: [PATCH 2/2] Add changelog entry

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 909d0d9cec..7125d6667b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,6 +32,7 @@ The types of changes are:
 ### Fixed
 - Updating the hash migration status check query to use the available indexes [#5336](https://github.com/ethyca/fides/pull/5336)
 - Fixed column resize jank on all tables in Admin UI [#5340](https://github.com/ethyca/fides/pull/5340)
+- Better handling of empty storage secrets in aws_util [#5347](https://github.com/ethyca/fides/pull/5347)
 
 ## [2.46.2](https://github.com/ethyca/fides/compare/2.46.1...2.46.2)