confluent-csid-provider-aws plugin does not support IRSA

[pauls-baby]

Unable to use IAM role for service account auth in DefaultAWSCredentialProviderChain for authenticating debezium-connect pod running in the cluster to access secrets from AWS secrets manager despite having correct permissions. The relevant environment variable AWS_WEB_IDENTITY_TOKEN_FILE was evidently not took into consideration.

Found this from the logs:

DEBUG  ||  Unable to load credentials from WebIdentityTokenCredentialsProvider: com.amazonaws.SdkClientException: To use assume role profiles the aws-java-sdk-sts module must be on the class path.

[ddonaghy-c]

Hey @pauls-baby Thank you for your contribution. A version with this change included has been uploaded to the Confluent Hub here: https://www.confluent.io/hub/confluentinc/csid-secrets-provider-aws.

[pauls-baby]

@ddonaghy-c Happy to contribute!! Also thank you for the quick response and letting me know the same. :-)

[NathanT02]

@pauls-baby I am trying to make this work with IRSA could you provide an example config? I got it working with the acces token and secret in the params but looking to work with IAM roles but can't get it working 😢.

Could you help me out?

[pauls-baby]

@NathanT02 You would need to create an IAM role in AWS with appropriate permissions and then define a service account in Kubernetes to use the IAM role. Now, pass the service account's name to the Pod definition's "serviceAccountName" field.