AWS STS for connecting S3 for archival

[Mahee777]

Hi Team,

Problem Statement We are using a self-hosted Temporal service and attempting to enable the archival feature. However, we are unable to access AWS S3 from the Temporal service because it does not support AWS STS. The Temporal server requires actual access_key and secret, but due to infrastructure restrictions, we cannot use actual AWS credentials. Our infrastructure supports STS, but the Temporal server does not. Is there an alternative solution that can work in this scenario?

Expected Behavior temporal server should be able to connect with S3 bucker and archive.

Actual Behavior getting 403

[Protozet]

@Mahee777 - Were you able to get it running using the actual AWS access key and secret? Can you share your archival values ?

[Mahee777]

@Protozet its working with actual AWS access and secret key.

Here is the archival values

history: enableRead: true provider: filestore: null gstorage: null s3store: endpoint: null logLevel: 0 region: us-east-1 s3ForcePathStyle: false state: enabled visibility: enableRead: true provider: filestore: null gstorage: null s3store: endpoint: null logLevel: 0 region: us-east-1 s3ForcePathStyle: false state: enabled namespaceDefaults: archival: history: URI: s3://dev-workflow-temporal-archive-bucket state: enabled visibility: URI: s3://dev-workflow-temporal-archive-bucket state: enabled

[erka]

@Mahee777 You need a role for the Temporal and then set that role to environment variable AWS_ROLE_ARN. It really depends on the your setup how it should be configured. EC2, ECS, EKS, etc will have own steps. Like https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html.

Also you will need access key and secret to assume into the role with STS in any case.