From 60ab7027c03de2595633972aa53f460becff0642 Mon Sep 17 00:00:00 2001
From: Jacky Wu <Colstuwjx@gmail.com>
Date: Tue, 10 Jun 2025 06:50:07 +0400
Subject: [PATCH] fix: allow to do role auth for S3 bucket use. (#8149)

### What problem does this PR solve?

Close #8148 .

### Type of change

- [x] New Feature (non-breaking change which adds functionality)
---
 rag/utils/s3_conn.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/rag/utils/s3_conn.py b/rag/utils/s3_conn.py
index 05c68880a..bccfd91fc 100644
--- a/rag/utils/s3_conn.py
+++ b/rag/utils/s3_conn.py
@@ -65,10 +65,14 @@ class RAGFlowS3:
             pass
 
         try:
-            s3_params = {
-                'aws_access_key_id': self.access_key,
-                'aws_secret_access_key': self.secret_key,
-            }
+            s3_params = {}
+            # if not set ak/sk, boto3 s3 client would try several ways to do the authentication
+            # see doc: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials
+            if self.access_key and self.secret_key:
+                s3_params = {
+                    'aws_access_key_id': self.access_key,
+                    'aws_secret_access_key': self.secret_key,
+                }
             if self.region in self.s3_config:
                 s3_params['region_name'] = self.region
             if 'endpoint_url' in self.s3_config: