Missing feature: Assuming an IAM role via AWS EKS pod identity #7638
Comments
|
@danopia, did you make any progress on this ? |
|
Hello, I haven't actually started editing code on this plugin, as it's kinda more of a 'nice to have' value-add to kong in my situation. I think the main concerns from me are getting the environment variables and reading the OS file that the variables point to. It looks like this feature would only work with additional nginx directives such as The environment variables could be worked around by requiring the user to copy their values into the plugin config, but the proper method would be using them as-is since the variables are injected by EKS and the real AWS SDKs use them directly. |
|
@danopia I do not think that is the case. The environment variables are not accessible from the workers, but then again, you only need to read them once at system startup, so you should be able to collect them in the |
|
Hi all, I'm working to develop the code to retrieve credentials in the EKS environment from AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE. I also add a configuration variable (config.aws_role_session_name) to assume another role than the role defined in AWS_ROLE_ARN. I'm not sure if I will ever create a PR for the reasons below but it might help someone:
Branch: retrieve credentials in EKS environment from service account or given role |
|
@Tieske , eventually, I finished the development and made a PR Lambda/web token identity and refacto to review the code.
What I didn't tests:
|
|
Any chance that [the PR in the last comment](Lambda/web token identity and refacto would be accepted if it were rebased here? The lack of support for this was a big surprise for us. |
|
This plugin has not yet switched to using the AWS SDK, which it should (instead of duplicating the auth code here). That would automatically enable the identity files; see https://github.com/Kong/lua-resty-aws/blob/main/src/resty/aws/credentials/TokenFileWebIdentityCredentials.lua |
|
Is there an ETA by when the above changes to the plugin will be made available? Which Release? |
|
Is anyone willing to submit a patch and make a contribution to make this happen? |
If this matter is not urgent, I will try to deal with it starting from next week. |
|
my 2cts: remove all auth-code and replace it with the AWS-SDK credential classes. The AWS base class defaults to the aws:CredentialProviderChain which will cover most usecases. Assuming roles can be done with the ChainedTemporaryCredentials. |
|
Done in #11350 |
Looking at the options and code in this repo, there is support for retrieving short-lived credentials from EC2 Metadata service (and thus kube2iam, kiam, etc) but the newer Kubernetes method of using Web Identity files is not implemented yet.
Here's a technical overview of IAM pod identity: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
The fundamental difference with web identity is that a new environment variable points to a file on disk, which contains a JWT that can be submitted to the
sts:AssumeRoleWithWebIdentityAPI, returning a 1-hr credential that can then be used just like normal instance metadata credentials. The file on disk gets rotated every ~12 hours by default so it does have to be re-read at some interval.Obviously there's a bit of new complexity getting a usable credential this way, but it's more reliable and less hacky than solutions like kube2iam, so there's reason to add it.
I'll probably make my own attempt at this soon, so I'm filing this ticket now for awareness and to solicit input on the best place to implement this.The text was updated successfully, but these errors were encountered: