Support AWS_WEB_IDENTITY_TOKEN_FILE

[jonathanasdf]

AWS service accounts can assume an identity using AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN.

https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts

A call to aws sts get-caller-identity returns the correct assumed role, but aws.py doesn't seem to support this and returns the cluster role instead.

I'm not sure how to support this programmatically, so filing a feature request hoping someone does.

[pavlospt]

Any updates on this?

[derek10cloud]

Any updates on this?

[farioas]

Here's a workaround. boto3.Session().get_credentials() returns temporary credentials for an assumed role. While aws.py relies on environment variables so we can easily pass them:

def _assume_role():
    try:
        credentials = boto3.Session().get_credentials()
        aws_access_key: str = credentials.access_key
        aws_secret_access_key: str = credentials.secret_key
        aws_session_token: str = credentials.token
    except Exception as err:
        raise err

    return aws_access_key, aws_secret_access_key, aws_session_token

...

aws_access_key, aws_secret_access_key, aws_session_token = _assume_role()
os.environ['AWS_ACCESS_KEY_ID'] = aws_access_key
os.environ['AWS_SECRET_ACCESS_KEY'] = aws_secret_access_key
os.environ['AWS_SESSION_TOKEN'] = aws_session_token

...

credentials = aws.Credentials.from_file(json_config_info)

[andrewegel]

I would like to register my interest in this method of authenticating to GCP through AWS EKS K8 service account JWT. This allows me to manage GCP infra from an AWS EKS pod without needing to use static service_account GCP keys or 3rd party tools such as Vault.

[andrewegel]

Someone pointed out to me that GCP supports OIDC workload federated identities which is essentially what AWS_WEB_IDENTITY_TOKEN_FILE is providing, so if you're using AWS_WEB_IDENTITY_TOKEN_FILE & OIDC identity to get an aws sts token, just to use the AWS Federated Workload Identities, you may as well just remove AWS from the picture, and just use OIDC Workload Federated identities.

[dharless-eli-lilly]

Someone pointed out to me that GCP supports OIDC workload federated identities which is essentially what AWS_WEB_IDENTITY_TOKEN_FILE is providing, so if you're using AWS_WEB_IDENTITY_TOKEN_FILE & OIDC identity to get an aws sts token, just to use the AWS Federated Workload Identities, you may as well just remove AWS from the picture, and just use OIDC Workload Federated identities.

Hey @andrewegel, are you suggesting to follow this? https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers