Closed t089 closed 5 years ago
tachyonics
commented
5 years ago I am not familiar enough with EKS to know how this should work.
Are you trying to follow this documentation - https://github.com/aws-samples/aws-workshop-for-kubernetes/blob/master/04-path-security-and-networking/402-authentication-and-authorization/readme.adoc#iam-container-roles-using-kube2iam
t089
commented
5 years ago Ok I figured it out:
http://169.254.169.254/latest/meta-data/iam/security-credentialss3access role you call, eghttp://169.254.169.254/latest/meta-data/iam/security-credentials/s3accessThe Java InstanceProfileCredentialsProvider just uses the first available role to obtain credentials for the AWS SDK running on an EC2 instance.
private static class InstanceMetadataCredentialsEndpointProvider extends CredentialsEndpointProvider {
@Override
public URI getCredentialsEndpoint() throws URISyntaxException, IOException {
String host = EC2MetadataUtils.getHostAddressForEC2MetadataService();
String securityCredentialsList = EC2CredentialsUtils.getInstance().readResource(new URI(host + EC2MetadataUtils.SECURITY_CREDENTIALS_RESOURCE));
String[] securityCredentials = securityCredentialsList.trim().split("\n");
if (securityCredentials.length == 0) {
throw new SdkClientException("Unable to load credentials path");
}
return new URI(host + EC2MetadataUtils.SECURITY_CREDENTIALS_RESOURCE + securityCredentials[0]);
}
}smoke-aws-credentials it is possible to replicate this behavior in a custom implementation of ExpiringCredentialsRetriever and use this with an AwsRotatingCredentialsProvider to make it work 👍
Hey, I was wondering how one can use this framework when deploying an application on EKS (where kube2iam is installed)? In this case the
AWS_CONTAINER_CREDENTIALS_RELATIVE_URIis not populated. Would it be possible to provide some value for this env in the pod configuration so that the lookup will work throughkube2iam?