-
Notifications
You must be signed in to change notification settings - Fork 654
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nf-amazon 2.0.0: Unable to load AWS credentials when running on Github Actions #3989
Comments
It could be a problem with the handling of anonymous bucket access nextflow/plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3FileSystemProvider.java Lines 835 to 845 in 1daebee
@bentsherman can you please give it a try ? |
Yep, this wasn't an issue before and is breaking CI tests on nf-core. Seems to be specific to Github Actions. One way to try and reproduce would be use Nextflow
|
Here's a reproducible example: https://github.com/adamrtalbot/nf-amazon-bug Here's the Github actions: https://github.com/adamrtalbot/nf-amazon-bug/actions/runs/5144138673 |
The problem is with the credentials provider chain, which was added in the AWS config refactor: nextflow/plugins/nf-amazon/src/main/nextflow/cloud/aws/AwsClientFactory.groovy Lines 277 to 281 in 1daebee
This chain does not fallback to anonymous creds, so it just fails if none of the providers yield anything. You can also replicate it with the CLI, remove your credentials first. You can then make it work by adding $ aws s3 cp s3://ngi-igenomes/igenomes/Homo_sapiens/Ensembl/GRCh37/Annotation/README.txt -
download failed: s3://ngi-igenomes/igenomes/Homo_sapiens/Ensembl/GRCh37/Annotation/README.txt to - Unable to locate credentials
$ aws s3 cp --no-sign-request s3://ngi-igenomes/igenomes/Homo_sapiens/Ensembl/GRCh37/Annotation/README.txt -
The contents of the annotation directories were downloaded from Ensembl on: July 17, 2015.
Gene annotation files were downloaded from Ensembl release 75. SmallRNA annotation files were downloaded from miRBase release 21.
$ curl https://ngi-igenomes.s3.amazonaws.com/igenomes/Homo_sapiens/Ensembl/GRCh37/Annotation/README.txt
The contents of the annotation directories were downloaded from Ensembl on: July 17, 2015.
Gene annotation files were downloaded from Ensembl release 75. SmallRNA annotation files were downloaded from miRBase release 21. So, the quick workaround is to use the HTTP URL in your Nextflow pipeline, and the actual solution is to figure out how to fallback to anonymous creds in Nextflow. Clearly it used to do this because the public S3 URLs used to work. I'm not 100% sure, but from my research, it should be possible to add this fallback to our custom provider chain... Notes: |
Bug report
When running on Github actions (and probably some other systems that lack AWS credentials) Nextflow reports the error:
Full run details:
https://github.com/nf-core/smrnaseq/actions/runs/5134355097/jobs/9238248639?pr=254
The data is a public source so it should not require credentials.
Because this was a Github action, we can go back in history and see the same code working fine a few weeks ago. Here is a working version:
https://github.com/nf-core/smrnaseq/actions/runs/4958065849/jobs/8870496729
The main delta I can see is the working version was:
Nextflow v22.10.1 and nf-amazon v1.11.0
Nextflow v23.04.1 and nf-amazon v1.16.2
vs
Nextflow v23.05.0-edge and nf-amazon v2.0.0
I'm trying some combinations here. You can see some combinations aren't compatible which makes this fairly tricky to get right by just selecting versions: https://github.com/nf-core/smrnaseq/actions/runs/5135450691/jobs/9240888639
Expected behavior and actual behavior
Tests should pull data from AWS without credentials and not throw an error.
Steps to reproduce the problem
nf-core/smrnaseq#256
Program output
To follow.
Environment
$SHELL --version
)Additional context
(Add any other context about the problem here)
The text was updated successfully, but these errors were encountered: