[PR #10910] [MERGED] feat: add AWS workload identity support #22617

New Issue

GiteaMirror · 2026-04-20T04:16:25-05:00

GiteaMirror commented

2026-04-20 04:16:25 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/10910
Author: @saraangelmurphy
Created: 2/27/2025
Status: ✅ Merged
Merged: 2/27/2025
Merged by: @tjbck

Base: dev ← Head: awsworkloadidentity

📝 Commits (2)

15485e7 Merge pull request #10469 from open-webui/dev
5e873bc feat: add AWS workload identity support

📊 Changes

2 files changed (+37 additions, -12 deletions)

View changed files

📝 backend/open_webui/storage/provider.py (+26 -12)
📝 backend/open_webui/test/apps/webui/storage/test_provider.py (+11 -0)

📄 Description

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions and describe your changes before submitting a pull request.

Before submitting, make sure you've checked the following:

Target branch: Please verify that the pull request targets the dev branch.
Description: Provide a concise description of the changes made in this pull request.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
Testing: Have you written and run sufficient tests for validating the changes?
Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
Prefix: To cleary categorize this pull request, prefix the pull request title, using one of the following:
- BREAKING CHANGE: Significant changes that may affect compatibility
- build: Changes that affect the build system or external dependencies
- ci: Changes to our continuous integration processes or workflows
- chore: Refactor, cleanup, or other non-functional code changes
- docs: Documentation update or addition
- feat: Introduces a new feature or enhancement to the codebase
- fix: Bug fix or error correction
- i18n: Internationalization or localization changes
- perf: Performance improvement
- refactor: Code restructuring for better maintainability, readability, or scalability
- style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)
- test: Adding missing tests or correcting existing tests
- WIP: Work in progress, a temporary label for incomplete or ongoing work

Changelog Entry

Description

This PR adds support for authenticating to AWS S3 buckets without explicitly setting S3_ACCESS_KEY_ID and S3_SECRET_ACCESS_KEY environment variables. The S3StorageProvider now falls back to the AWS default credential provider chain when explicit credentials are not provided, enabling workload identity support for AWS services.

This enhancement allows Open WebUI to authenticate to S3 using:

IAM roles for EC2 instances
IAM roles for EKS pods (Kubernetes service accounts)
IAM roles for ECS tasks
Other AWS credential providers in the chain

This change also aligns the S3StorageProvider with the existing workload identity support already present in the Azure and GCP storage providers.

Added

Support for AWS default credential provider chain in S3StorageProvider
Ability to use workload identity (IAM roles) for AWS S3 authentication
Test coverage for credential-less S3 initialization

Changed

Modified S3StorageProvider initialization to support both explicit credentials and workload identity
Improved code comments to document the authentication options

Deprecated

Removed

Fixed

Security

Enhanced security by supporting managed identities instead of requiring static credentials
Follows AWS best practices for credential management

Breaking Changes

Additional Information

This change enables Open WebUI to support workload identity across all major cloud providers (AWS, Azure, GCP). It also avoids the need for static credentials in production environments, which is prohibited by many corporate security teams.

For local development, users can continue to use explicit credentials, or leverage their existing AWS CLI credentials.

Screenshots or Videos

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/10910 **Author:** [@saraangelmurphy](https://github.com/saraangelmurphy) **Created:** 2/27/2025 **Status:** ✅ Merged **Merged:** 2/27/2025 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `awsworkloadidentity` --- ### 📝 Commits (2) - [`15485e7`](https://github.com/open-webui/open-webui/commit/15485e7c5d2c09857acce10e311707e2bb8e86c9) Merge pull request #10469 from open-webui/dev - [`5e873bc`](https://github.com/open-webui/open-webui/commit/5e873bc643c92394c567a9ccffdebc0035852457) feat: add AWS workload identity support ### 📊 Changes **2 files changed** (+37 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/storage/provider.py` (+26 -12) 📝 `backend/open_webui/test/apps/webui/storage/test_provider.py` (+11 -0) </details> ### 📄 Description # Pull Request Checklist ### Note to first-time contributors: Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) and describe your changes before submitting a pull request. **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [ ] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Have you written and run sufficient tests for validating the changes? - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Prefix:** To cleary categorize this pull request, prefix the pull request title, using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work # Changelog Entry ### Description This PR adds support for authenticating to AWS S3 buckets without explicitly setting `S3_ACCESS_KEY_ID` and `S3_SECRET_ACCESS_KEY` environment variables. The S3StorageProvider now falls back to the AWS default credential provider chain when explicit credentials are not provided, enabling workload identity support for AWS services. This enhancement allows Open WebUI to authenticate to S3 using: - IAM roles for EC2 instances - IAM roles for EKS pods (Kubernetes service accounts) - IAM roles for ECS tasks - Other AWS credential providers in the chain This change also aligns the S3StorageProvider with the existing workload identity support already present in the Azure and GCP storage providers. ### Added - Support for AWS default credential provider chain in S3StorageProvider - Ability to use workload identity (IAM roles) for AWS S3 authentication - Test coverage for credential-less S3 initialization ### Changed - Modified S3StorageProvider initialization to support both explicit credentials and workload identity - Improved code comments to document the authentication options ### Deprecated ### Removed ### Fixed ### Security - Enhanced security by supporting managed identities instead of requiring static credentials - Follows AWS best practices for credential management ### Breaking Changes --- ### Additional Information This change enables Open WebUI to support workload identity across all major cloud providers (AWS, Azure, GCP). It also avoids the need for static credentials in production environments, which is prohibited by many corporate security teams. For local development, users can continue to use explicit credentials, or leverage their existing AWS CLI credentials. ### Screenshots or Videos --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-20 04:16:25 -05:00

GiteaMirror closed this issue

2026-04-20 04:16:26 -05:00

GiteaMirror referenced this issue

2026-04-20 06:42:31 -05:00

[PR #22617] [CLOSED] fix(xlsx): normalise ZIP entry case to handle xl/SharedStrings.xml on case-sensitive filesystems #26782

GiteaMirror referenced this issue

2026-04-25 14:19:07 -05:00

[PR #22617] [CLOSED] fix(xlsx): normalise ZIP entry case to handle xl/SharedStrings.xml on case-sensitive filesystems #42412

GiteaMirror referenced this issue

2026-04-30 02:12:25 -05:00

[PR #22617] [CLOSED] fix(xlsx): normalise ZIP entry case to handle xl/SharedStrings.xml on case-sensitive filesystems #49830