v.21.1Improvements

Added S3 Client Authentication with AssumeRole and Environment Configuration

Published: November 25, 2025

Added proper authentication using environment, ~/.aws and AssumeRole for S3 client. #16856 (Vladimir Chebotarev).

Adds enhanced authentication support for the S3 client in ClickHouse, including environment variable credentials, ~/.aws configuration, and AWS AssumeRole capabilities.

Why it matters

This feature improves the S3 client authentication process by enabling ClickHouse to use various AWS authentication methods beyond static credentials. It allows users to securely access S3 buckets using environment credentials, shared AWS config files, and temporary credentials obtained via AssumeRole. This enhancement simplifies integration with AWS environments and enhances security and flexibility.

How to use it

To use the new authentication methods for the S3 client, configure your AWS credentials using environment variables (e.g., AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY), the standard AWS credentials file located at ~/.aws/credentials, or set up AssumeRole in your AWS configuration. ClickHouse will automatically detect and use these credentials when connecting to S3 storage.

Related resources

Pull Request #16856