From d73e9067ba28c2a7421198c1df2f319b6f05ba53 Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Fri, 10 Jan 2025 14:11:41 +0000
Subject: [PATCH] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! General improvements

---
 chart/Chart.yaml                |  4 ++--
 chart/values.yaml               |  2 +-
 docker-image-worker/s3_utils.py | 20 +++++++++++++++-----
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index bc02e96..d23352a 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -10,9 +10,9 @@ description: |
 
 type: application
 
-version: 0.2.36
+version: 0.2.38
 
-appVersion: "0.2.36"
+appVersion: "0.2.38"
 
 home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator
 
diff --git a/chart/values.yaml b/chart/values.yaml
index b2540f4..64fa231 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -12,7 +12,7 @@ sa:
         - ALL
     image:
       repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator
-      tag: 0.2.36
+      tag: 0.2.38
     resources:
       limits:
         cpu: 500m
diff --git a/docker-image-worker/s3_utils.py b/docker-image-worker/s3_utils.py
index 206bc24..7bcd448 100644
--- a/docker-image-worker/s3_utils.py
+++ b/docker-image-worker/s3_utils.py
@@ -63,14 +63,24 @@ def get_s3_client(use_role=False, role_name=None, use_current_role=False, aws_ac
         # Use the current role (e.g., from Kubernetes service account)
         logger.info("Using current role from environment")
         try:
-            client = boto3.client('s3', **client_kwargs)
-            # Try to get caller identity to verify credentials
-            sts = boto3.client('sts')
-            identity = sts.get_caller_identity()
-            logger.info(f"Successfully authenticated using current role: {identity['Arn']}")
+            # Don't create an STS client or try to assume role, just use the web identity credentials directly
+            session = boto3.Session()
+            client = session.client('s3', **client_kwargs)
+            
+            # Log the identity for debugging but don't create a separate STS client
+            creds = session.get_credentials()
+            if creds:
+                logger.info("Successfully obtained credentials from environment")
+                # Try to get the role ARN from environment for logging
+                role_arn = os.environ.get('AWS_ROLE_ARN')
+                if role_arn:
+                    logger.info(f"Using role: {role_arn}")
             return client
         except Exception as e:
             logger.error(f"Failed to use current role: {str(e)}")
+            logger.error("Environment variables:")
+            for env_var in ['AWS_WEB_IDENTITY_TOKEN_FILE', 'AWS_ROLE_ARN', 'AWS_ROLE_SESSION_NAME']:
+                logger.error(f"- {env_var}: {os.environ.get(env_var, 'not set')}")
             raise
     else:
         # Use default credentials (environment, instance profile, or pod service account)