Conversation
tito
approved these changes
Mar 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixed
get_dailyco_storage()to constructAwsStorageexplicitly with onlyrole_arn, instead of usingStorage.get_instance()which auto-collects allDAILYCO_STORAGE_AWS_*settings. This prevents theValueError: cannot use both aws_role_arn and access keyscrash when bothDAILYCO_STORAGE_AWS_ROLE_ARNandDAILYCO_STORAGE_AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEYare configured in the same environment.The root cause:
Storage.get_instance(settings_prefix="DAILYCO_STORAGE_")iterates all settings matching that prefix and passes them toAwsStorage(**config). After the platform-agnostic source storage feature addedDAILYCO_STORAGE_AWS_ACCESS_KEY_IDandSECRET_ACCESS_KEY(for worker reads viaget_source_storage()), theget_dailyco_storage()factory started passing bothrole_arnAND access keys to the constructor, hitting its mutual-exclusion validation.The fix explicitly constructs
AwsStoragewith only the fieldsget_dailyco_storage()needs (bucket, region, role_arn), keeping it cleanly separated fromget_source_storage("daily")which uses only access keys.Added 11 new tests covering all storage factory construction cases.
Related Issue
Follow-up to the platform-agnostic source storage PR. The poll daily meetings worker was crashing because
get_dailyco_storage()picked up the newly added worker access keys alongside the existingrole_arn.Motivation and Context
In selfhosted deployments with Daily.co, two separate credential sets coexist under the
DAILYCO_STORAGE_AWS_*prefix:ROLE_ARN: Used by the Daily API to write recordings to S3 (viaget_dailyco_storage())ACCESS_KEY_ID/SECRET_ACCESS_KEY: Used by Hatchet workers to read/delete recordings from S3 (viaget_source_storage("daily"))AwsStorageintentionally rejects having both auth methods simultaneously. The fix ensures each factory only passes the credentials it needs.How Has This Been Tested?
29 tests pass (
uv run pytest tests/test_storage.py -v), including 11 new tests:get_dailyco_storage()(5 tests):role_credential,bucket_name,regionpropertiesget_whereby_storage()(2 tests):Storage.get_instance()get_transcripts_storage()(2 tests):get_source_storage()(1 test):Coexistence (1 test):
get_transcripts_storage,get_dailyco_storage,get_source_storage) work simultaneously with the real selfhosted config (Garage + role_arn + access keys)