Allow authentication with IRSA on archival with AWS S3

[dhiaayachi]

Is your feature request related to a problem? Please describe. I´m running temporal with the HelmChart in a K8s EKS Cluster. And configured archival with S3. I can´t get IRSA work. Maybe it´s not supported yet?

The temporal pods are getting automatically following env vars:

AWS_DEFAULT_REGION
AWS_REGION
AWS_ROLE_ARN 
AWS_STS_REGIONAL_ENDPOINTS 
AWS_WEB_IDENTITY_TOKEN_FILE 

Furthermore the currently used Go SDK is supported, right?

If I update my namespace to use archival temporal operator namespace update --visibility-archival-state enabled --history-archival-state enabled <namespace>

I get following error:

namespace update failed: Forbidden: Forbidden  status code: 403,

Stacktrace is not helpful due to following issue: https://github.com/temporalio/temporal/issues/983

According to several comments and PR´s from different projects:

AWS Go SDK´s session.NewSession must be probably replaced with session.NewSessionWithOptions here

• https://github.com/aws/aws-sdk-go/issues/3101#issuecomment-604739840
• https://github.com/zalando-incubator/kube-metrics-adapter/pull/230

[dhiaayachi]

Thanks for the feature request!

Currently, Temporal does not support IRSA for archival with AWS S3. We are tracking this feature request and will let you know when it is available.

In the meantime, you can use an IAM role with static credentials for your temporal pods. Here are the steps:

1. Create an IAM role for your temporal pods.
2. Attach the necessary permissions to the role.
3. Configure your temporal pods with the IAM role's ARN and secret key.

You can find more information about creating IAM roles in the AWS documentation.