If a user leaves `accessKey` / `secretKey` blank, the backend should try the standard AWS credential provider chain instead of failing:
AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY env varsAWS_PROFILE / ~/.aws/credentials- Container/EC2 instance metadata
Scope
- Backend reads
boto3.Session().get_credentials() when the config fields are empty and populates the DuckDB S3 secrets from there.
ConnectionConfig validators loosened so empty string keys pass validation (currently accessKey / secretKey must be non-empty).- Probe response indicates which auth source was used, e.g.
"authSource": "env|profile|instance", so the UI can show "Connected via AWS_PROFILE=dev".
- Frontend: credential fields labelled "Leave blank to use local AWS credentials".
Why
Every AWS-native data tool (DuckDB CLI, Athena workbench, Spark) honours the credential chain. Forcing paste of secret keys into a web form is both worse UX and worse security (muscle memory for leaking keys into Slack). Onboarding drop for anyone already authed via aws-vault, SSO, or IRSA.
Not in scope
- Per-request STS / role assumption — keep it simple for now.
- Remote Cloudfloe deployments querying the user's cloud: this is local-first DX.
If a user leaves `accessKey` / `secretKey` blank, the backend should try the standard AWS credential provider chain instead of failing:
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYenv varsAWS_PROFILE/~/.aws/credentialsScope
boto3.Session().get_credentials()when the config fields are empty and populates the DuckDB S3 secrets from there.ConnectionConfigvalidators loosened so empty string keys pass validation (currentlyaccessKey/secretKeymust be non-empty)."authSource": "env|profile|instance", so the UI can show "Connected via AWS_PROFILE=dev".Why
Every AWS-native data tool (DuckDB CLI, Athena workbench, Spark) honours the credential chain. Forcing paste of secret keys into a web form is both worse UX and worse security (muscle memory for leaking keys into Slack). Onboarding drop for anyone already authed via
aws-vault, SSO, or IRSA.Not in scope