When running in AWS and we want to use IAM roles for service accounts, we can use the ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter adapter, which relies on AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN to be present. These env vars are, as far as I know, are injected via the identity webhook - https://github.com/aws/amazon-eks-pod-identity-webhook#usage.
There are additional settings that can also be configured here, including whether or not to use regional endpoints.
Containers (or any process that wants to use assume role with web identity) can be configured to have an env variable - AWS_STS_REGIONAL_ENDPOINTS (see pod identity webhook docs) to depict whether or not to use the regional endpoints.
This PR is intended to accomplish 2 items:
Fix unit tests that were failing on xml parsing
add support for configuring whether or not to use regional endpoints
Please be aware that I don't have much experience with Elixir nor with ExAWS so there might be scenarios/behaviours that I'm not aware of that need to be addressed in the PR
When running in AWS and we want to use IAM roles for service accounts, we can use the
ExAws.STS.AuthCache.AssumeRoleWebIdentityAdapter
adapter, which relies onAWS_WEB_IDENTITY_TOKEN_FILE
andAWS_ROLE_ARN
to be present. These env vars are, as far as I know, are injected via the identity webhook - https://github.com/aws/amazon-eks-pod-identity-webhook#usage. There are additional settings that can also be configured here, including whether or not to use regional endpoints.As far as I understand from the existing code, as long as ExAWS is configured with a region, then it will use a regional endpoint - defaulting to
us-east-1
. However some regions do not support regional endpoints - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints - and it is necessary to understand when to use (or not use) the regional endpoints in favor of the global endpoint.Containers (or any process that wants to use assume role with web identity) can be configured to have an env variable -
AWS_STS_REGIONAL_ENDPOINTS
(see pod identity webhook docs) to depict whether or not to use the regional endpoints.This PR is intended to accomplish 2 items:
Please be aware that I don't have much experience with Elixir nor with ExAWS so there might be scenarios/behaviours that I'm not aware of that need to be addressed in the PR