You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is similar to #286, but is not a duplicate. I'd also like to see support for IAM Roles for Service Accounts (IRSA): https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html, which is another means to get IAM roles into containers. It was created before EKS Pod Identity (the feature referenced in #286), so there's probably a lot of people still using it (including us). Also, unlike EKS Pod Identity, it works across non-AWS-EKS clusters such as EKS Anywhere (EKS-managed clusters on your own infra), self-managed K8s clusters in AWS, etc so it still has valid use-cases that aren't covered by EKS Pod Identity.
For full support, the API would need to:
Pick up the AWS_WEB_IDENTITY_TOKEN_FILE env var and load the token from the listed file.
N.B. this token value is also periodically refreshed by the system, so must be fetched from disk on every credential refresh call.
Parse the expected credential, TTL etc keys out of the response and auto refresh it via normal methods.
I actually have a version of this working already on our systems via a custom credentials provider, but it's not using the Cognitect http client (because other libs can take a map of kv pairs for query params, and I didn't want to have to build a query string with proper escaping manually ;)), and assumes things like AWS_REGION rather than passing through the region provider. It also builds the endpoint hostname manually due to a seeming bug with the Cognitect STS endpoint service doc (#297). It's thus not really ready for inclusion into the lib. I started work to embed it, but got a bit stuck ending up reimplementing a load of private functions from cognitect.aws.signers and the like to encode query params, and wasn't sure where the best place to put those functions was.
This is similar to #286, but is not a duplicate. I'd also like to see support for IAM Roles for Service Accounts (IRSA): https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html, which is another means to get IAM roles into containers. It was created before EKS Pod Identity (the feature referenced in #286), so there's probably a lot of people still using it (including us). Also, unlike EKS Pod Identity, it works across non-AWS-EKS clusters such as EKS Anywhere (EKS-managed clusters on your own infra), self-managed K8s clusters in AWS, etc so it still has valid use-cases that aren't covered by EKS Pod Identity.
For full support, the API would need to:
AWS_WEB_IDENTITY_TOKEN_FILEenv var and load the token from the listed file.AWS_ROLE_ARNenv var.I actually have a version of this working already on our systems via a custom credentials provider, but it's not using the Cognitect http client (because other libs can take a map of kv pairs for query params, and I didn't want to have to build a query string with proper escaping manually ;)), and assumes things like
AWS_REGIONrather than passing through the region provider. It also builds the endpoint hostname manually due to a seeming bug with the Cognitect STS endpoint service doc (#297). It's thus not really ready for inclusion into the lib. I started work to embed it, but got a bit stuck ending up reimplementing a load of private functions fromcognitect.aws.signersand the like to encode query params, and wasn't sure where the best place to put those functions was.