Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use official aws sdk #1600

Closed
brumer opened this issue Jul 30, 2019 · 4 comments
Closed

Use official aws sdk #1600

brumer opened this issue Jul 30, 2019 · 4 comments
Assignees
@ashutosh-narkar

Comments

@brumer
Copy link

brumer commented Jul 30, 2019

Expected Behavior

I have OPA running inside Amazon EKS with attached iam role for accessing a bundle in S3.
By using AWS native SDK you can access S3 without specifying aws_region or iam_role in opa configuration.
The logic implemented in the sdk (AWS ec2_role_provider.go) solves this issue and maybe other issues that may occur because it is re-implemented in this repo (opa aws.go)

Actual Behavior

AWS SDK was implemented here without crucial logic available in the official SDK

Additional Info

AWS SDK for Go
@tsandall
Copy link
Member

tsandall commented Jul 31, 2019
edited
Loading

If it's possible to avoid specifying the region and and iam_role then we should update the auth plugin accordingly to allow that. Adding a dependency on the AWS Go SDK would be problematic due to versioning conflicts so that's unlikely to happen.

EDIT: @patrick-east can you take a look this?

@patrick-east
Copy link
Contributor

It seems like we should be able to update our minimal client code to use the same technique to call the ec2 metadata service without a role or needing the region.

+1 on the aws sdk being problematic from a dependency/versioning point of view. Looking at the the library it isn't too bad, only has one additional dependency vendored in which has no additional ones. My main concern is that it starts a slippery slope of us adding in gcp, azure, k8s, openstack, etc etc clients which we probably don't want since as an embedded library it is very likely the application we are being embedded in will also have at least one of those.. then we run into versioning problems.

If all we need is to add in support for this functionality IMO we can avoid it.. if it turns out that this is a huge can of worms and we have other bugs/missing features/etc then maybe we re-evaluate?

@RichiCoder1 RichiCoder1 mentioned this issue Jun 8, 2020
Closed
@tsandall
Copy link
Member

tsandall commented Jun 9, 2020

The original ask for not requiring aws_region might be complete in the latest version of OPA. We need to review the implementation and double check. If that's the case, let's close this issue because whether we use the official AWS SDK is an implementation detail.

@ashutosh-narkar
Copy link
Member

Closing this issue as the AWS signature authentication client in the latest OPA version does not require aws_region.

@nhw76 nhw76 mentioned this issue Jun 22, 2020
Closed
@danielmoore danielmoore mentioned this issue Aug 4, 2020
Closed
@cogwirrel cogwirrel mentioned this issue Mar 2, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ashutosh-narkar ashutosh-narkar

Labels
None yet
Projects
Open Policy Agent
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tsandall @ashutosh-narkar @patrick-east @brumer