search

awslabs / coldsnap

A command line interface for Amazon EBS snapshots
Apache License 2.0
194 stars 24 forks source link

Support EKS IAM roles for service accounts #122

Closed jbg closed 2 years ago

jbg commented 2 years ago

The default Rusoto ChainProvider doesn't include WebIdentityProvider, so it doesn't pick up the IAM role associated with a ServiceAccount in EKS.

In our own tools that use Rusoto and run inside EKS, we use AutoRefreshingProvider::new(WebIdentityProvider::from_k8s_env()) as the credential provider. It would be great if there was a way to configure coldsnap to use this provider!

jbg commented 2 years ago

FWIW, I'm using this patch at the moment, but if added as an actual feature I guess it should be made configurable. Alternatively switching from rusoto to aws_sdk_rust would get this behaviour for free since its default credential chain includes web identity.

diff --git a/Cargo.toml b/Cargo.toml
index cf54606..472edc5 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -27,6 +27,7 @@ rusoto_credential = "0.48.0"
 rusoto_ebs = { version = "0.48.0", default-features = false }
 rusoto_ec2 = { version = "0.48.0", default-features = false }
 rusoto_signature = "0.48.0"
+rusoto_sts = "0.48.0"
 snafu = "0.7"
 indicatif = "0.16.2"
 tempfile = "3.3.0"
diff --git a/src/bin/coldsnap/client.rs b/src/bin/coldsnap/client.rs
index 6ad2f35..9f3e3ba 100644
--- a/src/bin/coldsnap/client.rs
+++ b/src/bin/coldsnap/client.rs
@@ -46,7 +46,7 @@ macro_rules! build_client {
             Some(provider) => Ok(<$client_type>::new_with(http_client, provider, region)),
             None => Ok(<$client_type>::new_with(
                 http_client,
-                ChainProvider::new(),
+                rusoto_credential::AutoRefreshingProvider::new(rusoto_sts::WebIdentityProvider::from_k8s_env()).unwrap(),
                 region,
             )),
         }
jpculp commented 2 years ago

Hi @jbg! Thank you for reaching out and I'm really sorry this got lost in the shuffle. At the moment we are working on transitioning from rusoto to the AWS SDK for Rust, where you are right that we'd get this behavior for free and the macro could just go away. That said, I think we should leave this issue open until that change gets released.

jbg commented 2 years ago

Hey @jpculp I noticed the commit moving coldsnap to aws-sdk-rust, so gave the latest code from the develop branch a try within an EKS Pod with IRSA. I wasn't able to complete a full test, because of an unrelated issue with the current code in develop: coldsnap upload hangs forever, but I did notice that it successfully creates a snapshot (which stays at 0% progress and eventually fails). That's enough to prove that the authentication using the web identity provider is working, so I'm going to go ahead and close this ticket. Thanks!