Closed jbg closed 2 years ago
FWIW, I'm using this patch at the moment, but if added as an actual feature I guess it should be made configurable. Alternatively switching from rusoto to aws_sdk_rust would get this behaviour for free since its default credential chain includes web identity.
diff --git a/Cargo.toml b/Cargo.toml
index cf54606..472edc5 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -27,6 +27,7 @@ rusoto_credential = "0.48.0"
rusoto_ebs = { version = "0.48.0", default-features = false }
rusoto_ec2 = { version = "0.48.0", default-features = false }
rusoto_signature = "0.48.0"
+rusoto_sts = "0.48.0"
snafu = "0.7"
indicatif = "0.16.2"
tempfile = "3.3.0"
diff --git a/src/bin/coldsnap/client.rs b/src/bin/coldsnap/client.rs
index 6ad2f35..9f3e3ba 100644
--- a/src/bin/coldsnap/client.rs
+++ b/src/bin/coldsnap/client.rs
@@ -46,7 +46,7 @@ macro_rules! build_client {
Some(provider) => Ok(<$client_type>::new_with(http_client, provider, region)),
None => Ok(<$client_type>::new_with(
http_client,
- ChainProvider::new(),
+ rusoto_credential::AutoRefreshingProvider::new(rusoto_sts::WebIdentityProvider::from_k8s_env()).unwrap(),
region,
)),
}
Hi @jbg! Thank you for reaching out and I'm really sorry this got lost in the shuffle. At the moment we are working on transitioning from rusoto to the AWS SDK for Rust, where you are right that we'd get this behavior for free and the macro could just go away. That said, I think we should leave this issue open until that change gets released.
Hey @jpculp I noticed the commit moving coldsnap to aws-sdk-rust, so gave the latest code from the develop
branch a try within an EKS Pod with IRSA. I wasn't able to complete a full test, because of an unrelated issue with the current code in develop
: coldsnap upload
hangs forever, but I did notice that it successfully creates a snapshot (which stays at 0% progress and eventually fails). That's enough to prove that the authentication using the web identity provider is working, so I'm going to go ahead and close this ticket. Thanks!
The default Rusoto
ChainProvider
doesn't includeWebIdentityProvider
, so it doesn't pick up the IAM role associated with aServiceAccount
in EKS.In our own tools that use Rusoto and run inside EKS, we use
AutoRefreshingProvider::new(WebIdentityProvider::from_k8s_env())
as the credential provider. It would be great if there was a way to configure coldsnap to use this provider!