grafana / k6-jslib-aws

Javascript Library allowing to interact with AWS resources from k6 scripts
Apache License 2.0
18 stars 29 forks source link

Support for IRSA #63

Open eloo-abi opened 1 year ago

eloo-abi commented 1 year ago

Hi,

we are right now trying to upload our html reports into S3 from our kubernetes cluster but it looks like IRSA IAM roles for service accounts is not supported right now.

Would be cool if a kubernetes native tool would support common authentication methods.

Thanks

oleiade commented 1 year ago

Hi @eloo-abi 👋🏻

I'm unfamiliar with IAM roles for service accounts, although it looks like something worth looking into for the library. I don't think we'll have the capacity to prioritize this short-term ourselves, but if you wanted to take a stab at it, we would happily support you along the way 👍🏻

iyuroch commented 1 year ago

Hey @eloo-abi, you can use something like code snippet below to get access and secret key from sts and later construct awsconfig from it

import http from 'k6/http';
import { AWSConfig, S3Client } from 'https://jslib.k6.io/aws/0.10.0/s3.js';

const S3_BUCKET_NAME = 'your_bucket_name';
const S3_OBJECT_KEY = 'path/to/your/s3/object/key';

const AWS_REGION = __ENV.AWS_REGION;
const AWS_ROLE_ARN = __ENV.AWS_ROLE_ARN;
const AWS_WEB_IDENTITY_TOKEN = open('/var/run/secrets/eks.amazonaws.com/serviceaccount/token', 'utf-8');

export function setup() {
  const url = "https://sts.amazonaws.com";
  const assumeRoleWithWebIdentityURL = `${url}/?Action=AssumeRoleWithWebIdentity&RoleArn=${AWS_ROLE_ARN}&WebIdentityToken=${AWS_WEB_IDENTITY_TOKEN}&RoleSessionName=app1&Version=2011-06-15&DurationSeconds=3600`;

  const params = {
    headers: {
      Accept: "application/json"
    },
  };

  let res = http.post(assumeRoleWithWebIdentityURL, null, params).json();
  let credentials = res.AssumeRoleWithWebIdentityResponse.AssumeRoleWithWebIdentityResult.Credentials
  const awsConfig = new AWSConfig({
    region: AWS_REGION,
    accessKeyId: credentials.AccessKeyId,
    secretAccessKey: credentials.SecretAccessKey,
    sessionToken: credentials.SessionToken,
  });

  return { awsConfig: awsConfig};
}

export default async function(data) {
  let s3client = new S3Client(data.awsConfig)
  await s3client.putObject(S3_BUCKET_NAME, S3_OBJECT_KEY, "bleh");
  const obj = await s3client.getObject(S3_BUCKET_NAME, S3_OBJECT_KEY);
  console.log(JSON.stringify(obj));
}
eloo-abi commented 1 year ago

@iyuroch awesome.. thanks for the snippets, looks really promising. i will give it a try

@oleiade maybe this can be included in the lib to bring IRSA support to everyone?

oleiade commented 1 year ago

Hi @eloo-abi 👋🏻

I'm glad someone provided a workaround. Our short-term priorities haven't changed, and I don't think we would have the time to work on this at the moment actively. Besides, as we're internally not users of the feature ourselves, I think it would be better if the community provided a Pull Request implementing support for that feature.

We would of course gladly provide support on that front 👍🏻