FIX: Allow aws mediaconvert to use iam profile (#35091)

When authenticating to aws mediaconvert we need to also allow the use of `iam_profile` and not just assume `s3_access_key_id` and `s3_secret_access_key` are being used.
2025-10-03 17:21:20 +08:00 · 2025-10-01 12:46:35 -06:00 · 2025-10-01 12:46:35 -06:00 · c927ba9357
commit c927ba9357
parent c972bfa239
2 changed files with 34 additions and 6 deletions
--- a/app/services/video_conversion/aws_media_convert_adapter.rb
+++ b/app/services/video_conversion/aws_media_convert_adapter.rb
@ -191,14 +191,18 @@ module VideoConversion
    end

    def create_basic_client(endpoint: nil)
-      Aws::MediaConvert::Client.new(
-        region: SiteSetting.s3_region,
-        credentials:
-          Aws::Credentials.new(SiteSetting.s3_access_key_id, SiteSetting.s3_secret_access_key),
-        endpoint: endpoint,
+      client_options = { region: SiteSetting.s3_region, endpoint: endpoint }
+
+      if !SiteSetting.s3_use_iam_profile
+        client_options[:credentials] = Aws::Credentials.new(
+          SiteSetting.s3_access_key_id,
+          SiteSetting.s3_secret_access_key,
        )
      end

+      Aws::MediaConvert::Client.new(client_options)
+    end
+
    def update_posts_with_optimized_video
      post_ids = UploadReference.where(upload_id: @upload.id, target_type: "Post").pluck(:target_id)

--- a/spec/services/video_conversion/aws_media_convert_adapter_spec.rb
+++ b/spec/services/video_conversion/aws_media_convert_adapter_spec.rb
@ -49,6 +49,7 @@ RSpec.describe VideoConversion::AwsMediaConvertAdapter do
    allow(SiteSetting).to receive(:s3_region).and_return(s3_region)
    allow(SiteSetting).to receive(:s3_access_key_id).and_return("test-key")
    allow(SiteSetting).to receive(:s3_secret_access_key).and_return("test-secret")
+    allow(SiteSetting).to receive(:s3_use_iam_profile).and_return(false)
    allow(SiteSetting).to receive(:s3_use_acls).and_return(true)

    allow(Aws::MediaConvert::Client).to receive(:new).and_return(mediaconvert_client)
@ -186,6 +187,29 @@ RSpec.describe VideoConversion::AwsMediaConvertAdapter do
        expect(adapter.convert).to be false
      end
    end
+
+    context "when using IAM profile" do
+      before do
+        allow(SiteSetting).to receive(:s3_use_iam_profile).and_return(true)
+        allow(SiteSetting).to receive(:s3_access_key_id).and_return("")
+        allow(SiteSetting).to receive(:s3_secret_access_key).and_return("")
+        upload.update!(
+          url: "//#{s3_bucket}.s3.#{s3_region}.amazonaws.com/uploads/default/original/test.mp4",
+          original_filename: "test.mp4",
+        )
+        allow(mediaconvert_job).to receive(:id).and_return(job_id)
+        allow(mediaconvert_client).to receive(:create_job).and_return(mediaconvert_job_response)
+      end
+
+      it "creates MediaConvert client without explicit credentials" do
+        expected_client_options = { region: s3_region, endpoint: "https://mediaconvert.endpoint" }
+
+        adapter.convert
+
+        expect(Aws::MediaConvert::Client).to have_received(:new).with(expected_client_options)
+        expect(adapter.convert).to be true
+      end
+    end
  end

  describe "#check_status" do