Read ESA WorldCover anonymously so SSO AWS configs don't crash reports by bpurinton · Pull Request #124 · uw-cryo/asp_plot

bpurinton · 2026-06-11T21:20:35Z

Summary

Altimetry._sample_worldcover_into_gdf() reads the public ESA WorldCover 10 m COGs from S3, but opened them with rasterio's default AWS session, which eagerly resolves AWS credentials. On a machine whose ~/.aws/config uses an SSO/login provider, botocore raises:

botocore.exceptions.MissingDependencyException: Missing Dependency:
Using the login credential provider requires an additional dependency.
You will need to pip install "botocore[crt]" before proceeding.

…which aborts the entire asp_plot report during the ICESat-2 WorldCover landcover step — even though the bucket is public and needs no credentials at all.

Fix

Open the COGs with an explicit unsigned session:

from rasterio.session import AWSSession
unsigned_session = AWSSession(aws_unsigned=True)
with rasterio.Env(unsigned_session, GDAL_DISABLE_READDIR_ON_OPEN="YES", CPL_VSIL_CURL_USE_HEAD="NO"):
    with rasterio.open(url) as src:
        ...

aws_unsigned=True skips credential resolution entirely, so anonymous access is used regardless of the user's AWS configuration.

Verification

Reproduced and fixed against the offending machine config (no env-var workarounds):

CURRENT: crashed -> MissingDependencyException  (login credential provider ... botocore[crt])
FIX:     opened OK, bounds: (-120.0, 30.0, -117.0, 33.0)

This surfaced while validating #121's --reuse_selections on a real Earth (ASTER) example; users currently work around it with AWS_NO_SIGN_REQUEST=YES AWS_CONFIG_FILE=/dev/null, which this fix makes unnecessary.

Notes

Bumps version 1.15.1 → 1.15.2 (patch). This is independent of Add a flag to re-use icesat tracks and hillshade detail clip areas between runs #121. If Add a flag to re-use icesat tracks and hillshade detail clip areas between runs #121 (which bumps to 1.16.0) merges first, this branch needs a quick rebump to 1.16.1 to stay ahead — happy to rebase whenever you sequence them.
No new dependency: rasterio.session.AWSSession is already available via the existing rasterio dependency.

_sample_worldcover_into_gdf opened the public ESA WorldCover S3 COGs with rasterio's default AWS session, which eagerly resolves credentials. On a machine whose ~/.aws/config uses an SSO/login provider, botocore raised MissingDependencyException ('requires botocore[crt]'), aborting the whole asp_plot report — even though the bucket is public and needs no credentials. Use an explicit unsigned session (AWSSession(aws_unsigned=True)) so anonymous access is used regardless of the user's AWS configuration. Bumps version to 1.15.2.

bpurinton merged commit 1f60bab into main Jun 11, 2026
1 check passed

bpurinton deleted the worldcover-anonymous-s3 branch June 11, 2026 21:29

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Read ESA WorldCover anonymously so SSO AWS configs don't crash reports#124

Read ESA WorldCover anonymously so SSO AWS configs don't crash reports#124
bpurinton merged 1 commit into
mainfrom
worldcover-anonymous-s3

bpurinton commented Jun 11, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

bpurinton commented Jun 11, 2026

Summary

Fix

Verification

Notes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant