y-scope · junhaoliao · Apr 10, 2026 · Apr 10, 2026 · Apr 10, 2026 · Apr 10, 2026
@@ -18,3 +18,7 @@ PRESTO_SCHEMA=default
 # Security
 RATE_LIMIT=1000
 
+# S3
+CLP_STREAM_OUTPUT_AWS_ACCESS_KEY_ID=
+CLP_STREAM_OUTPUT_AWS_SECRET_ACCESS_KEY=
+
@@ -1,6 +1,7 @@
 import {
     GetObjectCommand,
     S3Client,
+    S3ClientConfig,
 } from "@aws-sdk/client-s3";
 import {getSignedUrl} from "@aws-sdk/s3-request-presigner";
 import {Nullable} from "@webui/common/utility-types";
@@ -11,20 +12,18 @@ import {PRE_SIGNED_URL_EXPIRY_TIME_SECONDS} from "./typings.js";
 
 
 /**
- * Class to manage Simple Storage Service (S3) objects.
+ * Class to manage Simple Storage Service (S3) objects for stream files.
  */
 class S3Manager {
-    readonly #s3Client;
+    #s3Client: Nullable<S3Client> = null;
+
+    readonly #s3ClientConfig: S3ClientConfig;
 
     /**
-     * @param region
-     * @param [profile]
+     * @param config
      */
-    constructor (region: string, profile: Nullable<string>) {
-        this.#s3Client = new S3Client({
-            region,
-            ...((null !== profile) && {profile}),
-        });
+    constructor (config: S3ClientConfig) {
+        this.#s3ClientConfig = config;
     }
 
     /**
@@ -35,6 +34,10 @@ class S3Manager {
      * @throws {Error} If a pre-signed URL couldn't be generated.
      */
     async getPreSignedUrl (s3UriString: string): Promise<string> {
+        if (null === this.#s3Client) {
+            this.#s3Client = new S3Client(this.#s3ClientConfig);
+        }
+
         const s3Uri = new URL(s3UriString);
         const command = new GetObjectCommand({
             Bucket: s3Uri.hostname,
@@ -60,7 +63,7 @@ class S3Manager {
 
 declare module "fastify" {
     interface FastifyInstance {
-        S3Manager?: S3Manager;
+        StreamFilesS3Manager?: S3Manager;
     }
 }
 
@@ -74,11 +77,25 @@ export default fp(
         // values are not hardcoded.
         // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
         if (null !== region && "" !== region) {
+            const {
+                CLP_STREAM_OUTPUT_AWS_ACCESS_KEY_ID: accessKeyId,
+                CLP_STREAM_OUTPUT_AWS_SECRET_ACCESS_KEY: secretAccessKey,
+            } = fastify.config;
+
+            const s3ClientConfig: S3ClientConfig = {
+                ...((accessKeyId && secretAccessKey) ?
+                    {credentials: {accessKeyId, secretAccessKey}} :
+                    {}),
+                // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+                ...((null !== profile) && {profile}),
+                region,
+            };
+
             fastify.log.info(
                 {region, profile},
-                "Initializing S3Manager"
+                "Initializing StreamFilesS3Manager"
             );
-            fastify.decorate("S3Manager", new S3Manager(region, profile));
+            fastify.decorate("StreamFilesS3Manager", new S3Manager(s3ClientConfig));
         }
     },
 );
@@ -10,6 +10,8 @@ declare module "fastify" {
             USER: string;
             CLP_DB_USER: string;
             CLP_DB_PASS: string;
+            CLP_STREAM_OUTPUT_AWS_ACCESS_KEY_ID: string;
+            CLP_STREAM_OUTPUT_AWS_SECRET_ACCESS_KEY: string;
             PRESTO_CATALOG: string;
             PRESTO_SCHEMA: string;
             RATE_LIMIT: number;
@@ -56,6 +58,16 @@ const schema = {
             type: "string",
         },
 
+        // S3
+        CLP_STREAM_OUTPUT_AWS_ACCESS_KEY_ID: {
+            type: "string",
+            default: "",
+        },
+        CLP_STREAM_OUTPUT_AWS_SECRET_ACCESS_KEY: {
+            type: "string",
+            default: "",
+        },
+
         // Presto
         PRESTO_CATALOG: {
             type: "string",

@@ -69,8 +69,9 @@ const plugin: FastifyPluginAsyncTypebox = async (fastify) => {
                 }
             }
 
-            if (fastify.hasDecorator("S3Manager") && "undefined" !== typeof fastify.S3Manager) {
-                streamMetadata.path = await fastify.S3Manager.getPreSignedUrl(
+            if (fastify.hasDecorator("StreamFilesS3Manager") &&
+                "undefined" !== typeof fastify.StreamFilesS3Manager) {
+                streamMetadata.path = await fastify.StreamFilesS3Manager.getPreSignedUrl(
                     `s3://${settings.StreamFilesS3PathPrefix}${streamMetadata.path}`
                 );
             } else {

@@ -57,9 +57,9 @@ spec:
               value: {{ .Values.clpConfig.webui.rate_limit | quote }}
             {{- with .Values.clpConfig.stream_output.storage }}
             {{- if and (eq .type "s3") (eq .s3_config.aws_authentication.type "credentials") }}
-            - name: "AWS_ACCESS_KEY_ID"
+            - name: "CLP_STREAM_OUTPUT_AWS_ACCESS_KEY_ID"
               value: {{ .s3_config.aws_authentication.credentials.access_key_id | quote }}
-            - name: "AWS_SECRET_ACCESS_KEY"
+            - name: "CLP_STREAM_OUTPUT_AWS_SECRET_ACCESS_KEY"
               value: {{ .s3_config.aws_authentication.credentials.secret_access_key | quote }}
             {{- end }}{{/* if and (eq .type "s3")
                                   (eq .s3_config.aws_authentication.type "credentials") */}}

@@ -366,8 +366,8 @@ services:
     <<: *service_defaults
     hostname: "webui"
     environment:
-      AWS_ACCESS_KEY_ID: "${CLP_STREAM_OUTPUT_AWS_ACCESS_KEY_ID:-}"
-      AWS_SECRET_ACCESS_KEY: "${CLP_STREAM_OUTPUT_AWS_SECRET_ACCESS_KEY:-}"
+      CLP_STREAM_OUTPUT_AWS_ACCESS_KEY_ID: "${CLP_STREAM_OUTPUT_AWS_ACCESS_KEY_ID:-}"
+      CLP_STREAM_OUTPUT_AWS_SECRET_ACCESS_KEY: "${CLP_STREAM_OUTPUT_AWS_SECRET_ACCESS_KEY:-}"
       CLP_DB_PASS: "${CLP_DB_PASS:?Please set a value.}"
       CLP_DB_USER: "${CLP_DB_USER:-clp-user}"
       HOST: "0.0.0.0"