awslabs / aws-sigv4-proxy

This project signs and proxies HTTP requests with Sigv4
Apache License 2.0
364 stars 104 forks source link

Support for EKS Pod IDentity #190

Open allamand opened 9 months ago

allamand commented 9 months ago

I would like to use Sigv4 proxy, but not using IRSA, which is already working, but relying on new Pod Identity.

Seems it needs an upgrade for the SDK to let it work natively

allamand commented 5 months ago

Note, this can be done using envoy proxy cf: https://catalog.us-east-1.prod.workshops.aws/workshops/165b0729-2791-4452-8920-53b734419050/en-US/6-network-security/2-vpc-lattice-service-access/3-single-cluster-usecases/5-service-connect-https-custom-domain/1-inject-envoy-kyverno

eahangari-8x8 commented 5 months ago

Hey @allamand I just found this issue by chance. I have the same problem using sigv4proxy for kubecost. Im keep getting this error:

 time="2024-06-27T20:31:22Z" level=error msg="unable to proxy request" error="NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"

is there any workaround for this? can I use istio for it, instead of Kyverno? I would really appreciate it if you could help me with this

allamand commented 5 months ago

@eahangari-8x8 did you try the use of envoy as described in the link above ? Kyverno is just used to automatically inject the Sidecar but is not needed you can also add it manually

eahangari-8x8 commented 5 months ago

@allamand Im using istio on this cluster for other purposes it has injected the sidecar to kubecost ns but I got the error which I sent it before. the sigv4proxy container doesn't support the eks pod identity I guess.

allamand commented 5 months ago

EKS pod identity is very recent in envoy you may need to check if the version injected by istio is compatible with it.

You can still inject a second envoy sidecar you managed as I did with kyverno in the shared example

Le lun. 1 juil. 2024 à 19:04, Ehsan @.***> a écrit :

@allamand https://github.com/allamand Im using istio on this cluster for other purposes it has injected the sidecar to kubecost ns but I got the error which I sent it before. the sigv4proxy container doesn't support the eks pod identity I guess.

— Reply to this email directly, view it on GitHub https://github.com/awslabs/aws-sigv4-proxy/issues/190#issuecomment-2200641415, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACEKVY2ND2FBKWQJ6CD7LGLZKGD3BAVCNFSM6AAAAABJETB5F2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBQGY2DCNBRGU . You are receiving this because you were mentioned.Message ID: @.***>

jennerm commented 1 month ago

Hi @allamand, I see that since the date that your PR 191 was raised That go.mod is now referencing a new version of the AWS SDK:

require (
    github.com/aws/aws-sdk-go v1.55.3

Can we assume that Pod Identity is now supported?

Update: Looks like that change was made on Jul 28th, and v1.9 was released on Jul 18th, so I guess it missed the cut? 😔 Thanks

allamand commented 1 month ago

I didn’t test latest version to confirm if it does. But this version of sdk should support it