Implement WebIdentityTokenCredentialsProvider and add it to default chain

[kirillsalykin]

Amazon has a new auth approach https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.java#L48

Would be nice to have it as well.

Thanks.

[dchelimsky]

To consider: the AWS documentation and implementation disagree about ordering.

• https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
  • says it's last (6th of 6)
• https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.java#L48
  • says its 3rd (of 5 in the implementation, but the 5th one expands to 2 diff providers, so 3rd of 6)

[kirillsalykin]

Do you accept PRs?

[dchelimsky]

Do you accept PRs?

Sorry, no: https://github.com/cognitect-labs/aws-api#contributing

[gws]

Just noting that I am also interested in this feature, it looks like the documentation and SDKs have been updated to agree about the placement in the provider chain, and hopefully #164 (I missed this issue the first time around, whoops!) can help.

[rodolfo42]

👋 Just noting we're also interested in getting this in the official lib, we need it so we can properly use EKS with WebIdentity for service account IAM roles (which is the recommended way from AWS).

For now we survived by incorporating the code from a gist from @gws (thanks for that - we kept your copyright notice)

[NoahTheDuke]

We'd love to use this library but this is currently show-stopper.

[avocade]

Ran into this issue as well today :D We'll add it to our custom credentials chain, but would be great of course if it could be included in the lib.

[StankovicMarko]

@rodolfo42 actually this piece of code saved me :) I was looking into it yesterday but couldn't figure it it never occurred to me to starts sts-client with empty credentials and also thanks to the @gws for making it.

It seems to be working well

[cddr]

I see the linked AWS docs and code now seem to agree. 3rd out of 6 in both places.

[itai-spiritt]

I'm not sure if it's implemented or not, but I'm getting the error:

"Execution error (FileNotFoundException) at java.io.FileInputStream/open0 (FileInputStream.java:-2).\nclj (No such file or directory)\n",
 :clojure.main/triage
 {:clojure.error/class java.io.FileNotFoundException,
  :clojure.error/line -2,
  :clojure.error/cause "clj (No such file or directory)",
  :clojure.error/symbol java.io.FileInputStream/open0,
  :clojure.error/source "FileInputStream.java",
  :clojure.error/phase :execution},
 :clojure.main/trace
 {:via
  [{:type java.io.FileNotFoundException,
    :message "clj (No such file or directory)",
    :at [java.io.FileInputStream open0 "FileInputStream.java" -2]}],
  :trace
  [[java.io.FileInputStream open0 "FileInputStream.java" -2]
   [java.io.FileInputStream open "FileInputStream.java" 213]
   [java.io.FileInputStream <init> "FileInputStream.java" 152]
   [java.io.FileInputStream <init> "FileInputStream.java" 106]
   [clojure.lang.Compiler loadFile "Compiler.java" 7571]
   [clojure.main$load_script invokeStatic "main.clj" 475]
   [clojure.main$script_opt invokeStatic "main.clj" 535]
   [clojure.main$script_opt invoke "main.clj" 530]
   [clojure.main$main invokeStatic "main.clj" 664]
   [clojure.main$main doInvoke "main.clj" 616]
   [clojure.lang.RestFn applyTo "RestFn.java" 137]
   [clojure.lang.Var applyTo "Var.java" 705]
   [clojure.main main "main.java" 40]],
  :cause "clj (No such file or directory)"}}

Inside my clj pod who is configured with service account and the correct env vars

AWS_STS_REGIONAL_ENDPOINTS : regional
AWS_WEB_IDENTITY_TOKEN_FILE : /var/run/secrets/eks.amazonaws.com/serviceaccount/token
AWS_ROLE_ARN : arn:aws:iam::***