and furthermore, would i even need keys there? Presumably the lakefs server in aws would have a role that gave it access to the s3 bucket/folders it needs. Would the aws s3 client in lua see and pick up that role and use it?

Hey @Joe M! The underlying S3 client is a thin Lua wrapper over the Go AWS SDK. The decision to not use the role assigned to the lakeFS server (or e.g. the IAM role attached to the machine hosting lakeFS) is intentional: Using hooks, any user that can write to any random repository under

_lakefs_actions/

would then be able to perform any action this IAM principal is allowed to do. This is a privilege escalation. I agree hard coding secrets in a yaml file in a repo isn't great - we do plan on supporting a secrets management API for hooks, similar to the one provided by GitHub and other similar services.