Open eloo-abi opened 1 year ago
Hi @eloo-abi 👋🏻
I'm unfamiliar with IAM roles for service accounts, although it looks like something worth looking into for the library. I don't think we'll have the capacity to prioritize this short-term ourselves, but if you wanted to take a stab at it, we would happily support you along the way 👍🏻
Hey @eloo-abi, you can use something like code snippet below to get access and secret key from sts and later construct awsconfig from it
import http from 'k6/http';
import { AWSConfig, S3Client } from 'https://jslib.k6.io/aws/0.10.0/s3.js';
const S3_BUCKET_NAME = 'your_bucket_name';
const S3_OBJECT_KEY = 'path/to/your/s3/object/key';
const AWS_REGION = __ENV.AWS_REGION;
const AWS_ROLE_ARN = __ENV.AWS_ROLE_ARN;
const AWS_WEB_IDENTITY_TOKEN = open('/var/run/secrets/eks.amazonaws.com/serviceaccount/token', 'utf-8');
export function setup() {
const url = "https://sts.amazonaws.com";
const assumeRoleWithWebIdentityURL = `${url}/?Action=AssumeRoleWithWebIdentity&RoleArn=${AWS_ROLE_ARN}&WebIdentityToken=${AWS_WEB_IDENTITY_TOKEN}&RoleSessionName=app1&Version=2011-06-15&DurationSeconds=3600`;
const params = {
headers: {
Accept: "application/json"
},
};
let res = http.post(assumeRoleWithWebIdentityURL, null, params).json();
let credentials = res.AssumeRoleWithWebIdentityResponse.AssumeRoleWithWebIdentityResult.Credentials
const awsConfig = new AWSConfig({
region: AWS_REGION,
accessKeyId: credentials.AccessKeyId,
secretAccessKey: credentials.SecretAccessKey,
sessionToken: credentials.SessionToken,
});
return { awsConfig: awsConfig};
}
export default async function(data) {
let s3client = new S3Client(data.awsConfig)
await s3client.putObject(S3_BUCKET_NAME, S3_OBJECT_KEY, "bleh");
const obj = await s3client.getObject(S3_BUCKET_NAME, S3_OBJECT_KEY);
console.log(JSON.stringify(obj));
}
@iyuroch awesome.. thanks for the snippets, looks really promising. i will give it a try
@oleiade maybe this can be included in the lib to bring IRSA support to everyone?
Hi @eloo-abi 👋🏻
I'm glad someone provided a workaround. Our short-term priorities haven't changed, and I don't think we would have the time to work on this at the moment actively. Besides, as we're internally not users of the feature ourselves, I think it would be better if the community provided a Pull Request implementing support for that feature.
We would of course gladly provide support on that front 👍🏻
Hi,
we are right now trying to upload our html reports into S3 from our kubernetes cluster but it looks like IRSA IAM roles for service accounts is not supported right now.
Would be cool if a kubernetes native tool would support common authentication methods.
Thanks