bajajneha27
commented
1 year ago Hi @mmizutani Are you still working on this PR?
Closed mmizutani closed 1 year ago
bajajneha27
commented
1 year ago Hi @mmizutani Are you still working on this PR?
bajajneha27
commented
1 year ago Closing the PR due to inactivity. Please feel free to reopen it if you continue to work on it.
418 recently added initial support for Workload Identity Federation. Thanks to this new feature, we can now obtain Google Cloud's federated tokens and access tokens for Service Accounts using credentials of AWS IAM roles, obviating the need for issuing long-term JSON keys and storing them on AWS Secrets Manager per se.
Currently,
googleauthgem supports the following kinds of external account credentials as the initiator of cross-IaaS trust chains:Unfortunately, Amazon ECS (Elastic Container Service), one of the major compute services of AWS, utilizes a credentials mechanism different from the EC2 instance metadata service, so container workloads running on ECS cannot obtain AWS IAM role credentials from the EC2 instance metadata (IMDSv2) endpoint,
http://169.254.169.254. Instead, on ECS containers, AWS IAM role credentials must be fetched from a special, per-container, ephemeral local endpointhttp://169.254.170.2/{credential_provider_version}/credentials?id={task_credential_id}or equivalentlyhttp://169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}, whereAWS_CONTAINER_CREDENTIALS_RELATIVE_URIis an environment variable populated by AWS that represents the path part of the full URL to fetch the credentials of the AWS ECS Task IAM role attached to the ECS container, as described here.Given the lack of support for the AWS ECS container credentials endpoint, container workloads running on ECS such as a fluentd logging sidecar currently need to apply a monkey patch like this.
This PR thus extends the currently implemented Workload Identity Federation with AWS to also support the AWS ECS container credentials endpoint as the third kind of supported credential provider of AWS.
Coincidentally, a similar functionality has been recently implemented by the official
aws-sdk-corerubygem.