search

abashev / vfs-s3

Amazon S3 driver for Apache commons-vfs (Virtual File System) project
Apache License 2.0
93 stars 50 forks source link

Support for AWS_WEB_IDENTITY_TOKEN_FILE for container running on AWS EKS cluster #77

Closed maedu closed 1 year ago

maedu commented 3 years ago

Hey guys,

We have a microservice that uses vfs-s3. We run it in a container running on an AWS EKS cluster. For security reasons, we do not want to use explicit credentials, but we set up the service account of the pod to have the necessary IAM role to access our S3 bucket. For that EKS then dynamically provides the access token in a file which is offered via the environment variable AWS_WEB_IDENTITY_TOKEN_FILE.

Unfortunately, we are not able to get it to work, the library does not pick up that secret. It would be supported in the DefaultAWSCredentialsProviderChain, but it looks like that this is not being picked up.

Can you guide us, on how to get it to use that Web Identity Token credentials for the authentication?

Thanks and regards, Matthias

abashev commented 3 years ago

@maedu DefaultAWSCredentialsProviderChain - is it a part of AWS SDK v1 or v2?

maedu commented 3 years ago

Hey @abashev

We by now found the issue, some tracing on our side revealed that aws-java-sdk-sts was missing: Unable to load credentials from WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path. We added it to our build.gradle of our spring boot app which uses your library: implementation 'com.amazonaws:aws-java-sdk-sts:1.12.39'

And then we used it in our class (here a highly shortened version):

import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.github.vfss3.S3FileSystemConfigBuilder;
import org.apache.commons.vfs2.FileSystemOptions;
...

public class MyClass {
  ...

  public void connect() {
     fileSystemOptions = new FileSystemOptions();
     S3FileSystemConfigBuilder s3Config = S3FileSystemConfigBuilder.getInstance();
     s3Config.setCredentialsProvider(fileSystemOptions, new DefaultAWSCredentialsProviderChain());
  }
}

So we were able to get it to run on our side, but I assume it would be best if you could also add the dependency to the aws-java-sdk-sts already, so that others just get it for free (and also we can remove that explicit dependency from our build.gradle).

Thanks a lot for your support.