chrono
commented
7 months ago @vanetix @koozdra Is there any help required to get this merged?
Open hvieira opened 1 year ago
chrono
commented
7 months ago @vanetix @koozdra Is there any help required to get this merged?
When running in AWS and we want to use IAM roles for service accounts, we can use the
ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapteradapter, which relies onAWS_WEB_IDENTITY_TOKEN_FILEandAWS_ROLE_ARNto be present. These env vars are, as far as I know, are injected via the identity webhook - https://github.com/aws/amazon-eks-pod-identity-webhook#usage. There are additional settings that can also be configured here, including whether or not to use regional endpoints.As far as I understand from the existing code, as long as ExAWS is configured with a region, then it will use a regional endpoint - defaulting to
us-east-1. However some regions do not support regional endpoints - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints - and it is necessary to understand when to use (or not use) the regional endpoints in favor of the global endpoint.Containers (or any process that wants to use assume role with web identity) can be configured to have an env variable -
AWS_STS_REGIONAL_ENDPOINTS(see pod identity webhook docs) to depict whether or not to use the regional endpoints.This PR is intended to accomplish 2 items:
Please be aware that I don't have much experience with Elixir nor with ExAWS so there might be scenarios/behaviours that I'm not aware of that need to be addressed in the PR