docs: Cube Store S3 authentication via AWS Web Identity (follow-up to #10687)

igorlukanin · igorlukanin · commit 0e89fb0b39ae · 2026-06-16T17:02:17.000+02:00
diff --git a/docs-mintlify/cube-core/architecture.mdx b/docs-mintlify/cube-core/architecture.mdx
@@ -235,10 +235,18 @@ services:
       - cubestore_router
 ```
 
+Instead of static access keys, Cube Store can authenticate to S3 using AWS Web
+Identity (for example, IRSA on Amazon EKS). Leave `CUBESTORE_AWS_ACCESS_KEY_ID`
+unset and provide
+[`CUBESTORE_AWS_WEB_IDENTITY_TOKEN_FILE`][ref-config-env-cubestore-web-identity]
+and [`CUBESTORE_AWS_ROLE_ARN`][ref-config-env]; Cube Store then assumes the role
+via STS and refreshes credentials automatically when the token file changes.
+
 
 [dh-cubejs]: https://hub.docker.com/r/cubejs/cube
 [dh-cubestore]: https://hub.docker.com/r/cubejs/cubestore
 [ref-config-env]: /reference/configuration/environment-variables
+[ref-config-env-cubestore-web-identity]: /reference/configuration/environment-variables#cubestore_aws_web_identity_token_file
 [ref-config-js]: /reference/configuration/config
 [ref-conf-ref-schemapath]: /reference/configuration/config#schema_path
 [gh-pavel]: https://github.com/paveltiunov
diff --git a/docs-mintlify/reference/configuration/environment-variables.mdx b/docs-mintlify/reference/configuration/environment-variables.mdx
@@ -1576,6 +1576,28 @@ Required when using an AWS instance role.
 | ------------------------- | ---------------------- | --------------------- |
 | A valid number in minutes | `180`                  | `180`                 |
 
+## `CUBESTORE_AWS_WEB_IDENTITY_TOKEN_FILE`
+
+The path to an AWS web identity token file. When `CUBESTORE_AWS_ACCESS_KEY_ID` is
+not set and this variable is present, Cube Store authenticates to S3 using AWS Web
+Identity (for example, [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)
+on Amazon EKS): it exchanges the token for
+temporary credentials via STS `AssumeRoleWithWebIdentity` and re-exchanges them
+when the token file changes.
+
+| Possible Values | Default in Development | Default in Production |
+| --------------- | ---------------------- | --------------------- |
+| A valid file path | N/A                  | N/A                   |
+
+## `CUBESTORE_AWS_ROLE_ARN`
+
+The ARN of the AWS IAM role to assume when using
+[`CUBESTORE_AWS_WEB_IDENTITY_TOKEN_FILE`](#cubestore_aws_web_identity_token_file).
+
+| Possible Values   | Default in Development | Default in Production |
+| ----------------- | ---------------------- | --------------------- |
+| A valid IAM role ARN | N/A                 | N/A                   |
+
 ## `CUBESTORE_BIND_ADDR`
 
 The address/port pair for Cube Store's MySQL-compatible interface.
