search

aws-actions / configure-aws-credentials

Configure AWS credential environment variables for use in other GitHub Actions.
MIT License
2.43k stars 466 forks source link

Support for EKS Pod Identities #942

Open jtschelling opened 9 months ago

jtschelling commented 9 months ago

Describe the feature

When I try and use this github action to assume into a role that my pod has the permissions to assume into the action errors out with Error: Credentials could not be loaded, please check your action inputs: 169.254.170.23 is not a valid container metadata service hostname

This github action does not currently support the pod identities feature tmk.

Use Case

I have an EKS cluster that I run self-hosted runners in through the actions-runner-controller project. I want to use pod identities to simplify my IAM management.

Proposed Solution

Use the client-eks-auth feature in the aws sdk https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-eks-auth/README.md

Other Information

No response

Acknowledgements

tim-finnigan commented 9 months ago

Thanks for the feature request. Here is documentation on EKS Pod Identities for our reference: https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html.

Others can πŸ‘this issue to show support and comment to share use cases and additional info.

jmbravo commented 6 months ago

Probably related with https://github.com/aws/aws-sdk-js-v3/issues/5709 ?

I'm getting the same error.

Got the same error also in Atlantis pod but upgrading Terraform AWS provider fixed the issue

@jtschelling did you find a workaround for this?

yurii-kryvosheia commented 5 months ago

@jmbravo the workaround is to use v2.2.0 πŸ€·πŸΌβ€β™‚οΈ

jmbravo commented 5 months ago

@jmbravo the workaround is to use v2.2.0 πŸ€·πŸΌβ€β™‚οΈ

In which component?

yurii-kryvosheia commented 4 months ago

@jmbravo the workaround is to use v2.2.0 πŸ€·πŸΌβ€β™‚οΈ

In which component?

In configure-aws-credentials action.

casey-robertson-paypal commented 4 months ago

This is the auth method that AWS recommends for EKS - it's been over 6 months now.....

gabordk commented 3 months ago

@tim-finnigan sorry for bugging but using pod identities is the official, AWS recommended way to access AWS resources. Could you please raise the priority of this issue? Thanks.

gabordk commented 3 months ago

@jmbravo the workaround is to use v2.2.0 πŸ€·πŸΌβ€β™‚οΈ

In which component?

In configure-aws-credentials action.

Hi @yurii-kryvosheia, would you mind giving a little bit more detailed description how did you managed to go around this issue? Thanks a lot.

jmbravo commented 3 months ago

@jmbravo the workaround is to use v2.2.0 πŸ€·πŸΌβ€β™‚οΈ

In which component?

In configure-aws-credentials action.

EKS Pod Identity doesn't work in any aws-credential version (that's the purpose of this issue), I still don't understand your point.

yurii-kryvosheia commented 2 months ago

@jmbravo the workaround is to use v2.2.0 πŸ€·πŸΌβ€β™‚οΈ

In which component?

In configure-aws-credentials action.

Hi @yurii-kryvosheia, would you mind giving a little bit more detailed description how did you managed to go around this issue? Thanks a lot.

I'm sorry, I didn't dig into this issue, I just rolled back to v2.2.0.

bogdan-matei commented 1 week ago

It seems that this has been fixed in https://github.com/aws/aws-sdk-js-v3/pull/5739 so the SDK version should be updated. The repository received lots of updates meantime, but no tags have been release.

I just checked out this commit 0fc95ed93529d540ccff34b6c330f66318bdc888 rather than a specific tag and EKS Pod Identity works.