Read AWS_CONTAINER_CREDENTIALS_FULL_URI env variable if set when reading a profile with credential_source.
#2790
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ading a profile with `credential_source`. Also ensure `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is always read before it
lucix-aws
reviewed
Sep 16, 2024
| } | ||
| return resolveHTTPCredProvider(ctx, cfg, ecsContainerURI(envConfig.ContainerCredentialsRelativePath), envConfig.ContainerAuthorizationToken, configs) |
There was a problem hiding this comment.
Why remove the fallback?
There was a problem hiding this comment.
This wasn't really a fallback but rather a function call after checking the args are valid
if (!isValid(a)) {
return error
}
func(a)
This is however building an ECS path, and you are correct that we could pass an empty path to ecsContainerURI to resolve to the base path directly. However, the SEP doesn't like this
If none of the above sources (the two env variables) yield a value, the provider MUST fail to resolve indicating as such.
lucix-aws
approved these changes
Sep 16, 2024
wty-Bryant
approved these changes
Sep 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
EKS (Elastic Kubernetes Service) is a managed service for running Kubernetes clusters. Pods are the smallest deployable units in Kubernetes, consisting of one or more containers, and are managed within a cluster.EKS Pod identity is a new feature of AWS, which allows individual pods to be mapped to a specific IAM roles
For the SDKs, this means that EKS Pod Identity sets
AWS_CONTAINER_CREDENTIALS_FULL_URIandAWS_CONTAINER_AUTHORIZATION_TOKEN_FILE, which are used to retrieve credentials.This IAM role must exist within your own AWS account.
use case
Customers want to be able to easily be able to assume the role of another AWS account, since it's a common pattern to have one AWS account managing the EKS cluster and others that host things like DynamoDB tables or S3 buckets. Right now, customers can setup IAM role chaining via code, but they want to be able to do it via profiles, like
Problem
Go SDK currently didn't read from
AWS_CONTAINER_CREDENTIALS_FULL_URIwhen resolving credentials from a shared AWS config file, it only readAWS_CONTAINER_CREDENTIALS_RELATIVE_URI. Since this is not what EKS Pod identity sets, the request failed.Additionally, while we have a SEP that defines the priority between these variables, this wasn't implemented.