search

awslabs / aws-sigv4-proxy

This project signs and proxies HTTP requests with Sigv4
Apache License 2.0
350 stars 100 forks source link

Support for EKS Pod IDentity #190

Open allamand opened 5 months ago

allamand commented 5 months ago

I would like to use Sigv4 proxy, but not using IRSA, which is already working, but relying on new Pod Identity.

Seems it needs an upgrade for the SDK to let it work natively

allamand commented 4 weeks ago

Note, this can be done using envoy proxy cf: https://catalog.us-east-1.prod.workshops.aws/workshops/165b0729-2791-4452-8920-53b734419050/en-US/6-network-security/2-vpc-lattice-service-access/3-single-cluster-usecases/5-service-connect-https-custom-domain/1-inject-envoy-kyverno

eahangari-8x8 commented 1 week ago

Hey @allamand I just found this issue by chance. I have the same problem using sigv4proxy for kubecost. Im keep getting this error:

 time="2024-06-27T20:31:22Z" level=error msg="unable to proxy request" error="NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"

is there any workaround for this? can I use istio for it, instead of Kyverno? I would really appreciate it if you could help me with this

allamand commented 1 week ago

@eahangari-8x8 did you try the use of envoy as described in the link above ? Kyverno is just used to automatically inject the Sidecar but is not needed you can also add it manually

eahangari-8x8 commented 1 week ago

@allamand Im using istio on this cluster for other purposes it has injected the sidecar to kubecost ns but I got the error which I sent it before. the sigv4proxy container doesn't support the eks pod identity I guess.

allamand commented 6 days ago

EKS pod identity is very recent in envoy you may need to check if the version injected by istio is compatible with it.

You can still inject a second envoy sidecar you managed as I did with kyverno in the shared example

Le lun. 1 juil. 2024 à 19:04, Ehsan @.***> a écrit :

@allamand https://github.com/allamand Im using istio on this cluster for other purposes it has injected the sidecar to kubecost ns but I got the error which I sent it before. the sigv4proxy container doesn't support the eks pod identity I guess.

— Reply to this email directly, view it on GitHub https://github.com/awslabs/aws-sigv4-proxy/issues/190#issuecomment-2200641415, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACEKVY2ND2FBKWQJ6CD7LGLZKGD3BAVCNFSM6AAAAABJETB5F2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBQGY2DCNBRGU . You are receiving this because you were mentioned.Message ID: @.***>