Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Web Identity providers for IAM credentials for AWS EKS #1156

Closed
barryib opened this issue Sep 9, 2019 · 6 comments
Closed

Support Web Identity providers for IAM credentials for AWS EKS #1156

barryib opened this issue Sep 9, 2019 · 6 comments
Milestone
Current

Comments

@barryib
Copy link

barryib commented Sep 9, 2019

Add support for Web Identity providers for IAM credentials for AWS EKS (IAM Roles for Service Accounts) https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

This will be very useful in thanos thanos-io/thanos#1494 running into an EKS cluster.
@harshavardhana
Copy link
Member

We already support that @barryib

@harshavardhana
Copy link
Member

https://godoc.org/github.com/minio/minio-go/pkg/credentials#NewIAM

@kannappanr
Copy link
Collaborator

@barryib Closing this issue now. Please feel free to reach out to us if you have other such questions at https://slack.min.io

@kannappanr kannappanr added this to the Current milestone Sep 9, 2019
@barryib
Copy link
Author

barryib commented Sep 10, 2019
edited
Loading

I don't think it implemented. This is a new way (which come out few days ago) AWS provide IAM role to kubernetes pods and service account in EKS cluster.

This method add new env vars like

AWS_ROLE_ARN=arn:aws:iam::AWS_ACCOUNT_ID:role/IAM_ROLE_NAME
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

This was added recently in all AWS SDK. Here are some PR aws/aws-sdk-go#2667 and aws/aws-sdk-go-v2#2867

More info here:

@harshavardhana
Copy link
Member

@barryib this is very specific to AWS - feel free to send a PR, we may not have cycles to address this as this moment.

@kannappanr
Copy link
Collaborator

@barryib Closing this issue now. Please feel free to send a PR when you get a chance

saracen added a commit to saracen/minio-go that referenced this issue Nov 11, 2019
@saracen
Credentials: Support assuming role via WebIdentityTokenFile
5405d29 
This supports the new AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment
variables, that allow exchanging OIDC tokens given to pods in EKS for access
tokens.

Fixes minio#1156
@saracen saracen mentioned this issue Nov 11, 2019
Merged
saracen added a commit to saracen/minio-go that referenced this issue Nov 12, 2019
@saracen
Credentials: Support assuming role via WebIdentityTokenFile
9df10ec 
This supports the new AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment
variables, that allow exchanging OIDC tokens given to pods in EKS for access
tokens.

Fixes minio#1156
saracen added a commit to saracen/minio-go that referenced this issue Dec 5, 2019
@saracen
Credentials: Support assuming role via WebIdentityTokenFile
304de0b 
This supports the new AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment
variables, that allow exchanging OIDC tokens given to pods in EKS for access
tokens.

Fixes minio#1156
nitisht pushed a commit that referenced this issue Jan 7, 2020
@saracen @nitisht
Credentials: Support assuming role via WebIdentityTokenFile (#1183)
a544e9f 
This supports the new AWS_WEB_IDENTITY_TOKEN_FILE and 
AWS_ROLE_ARN environment variables, that allow exchanging 
OIDC tokens given to pods in EKS for access tokens.

Fixes #1156
@haorenfsa haorenfsa mentioned this issue May 11, 2022
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Current
Development

No branches or pull requests
3 participants
@barryib @harshavardhana @kannappanr