Closed pjrh-moj closed 4 months ago
Aha! I hadn't realised you could start the sts service anonymously, hence the tortuous curl.
Unfortunately removing the fallback authentication means that this will fail in airflow jobs, which use "normal" AWS authentication rather than web identity. However I've just noticed that release 0.5.2 of paws adds AssumeRoleWithWebIdentity which hopefully will mean we don't need to jump through these hoops - I might have a bash with that now as a Friday afternoon project.
Also no, the ARN won't change format.
Yes, the guidance makes it sound like it should all “just work” but I couldn’t make it work nicely straight away so I just modified what you had already done. Let me know where you get to, because it would be nice if paws was able to just detect itself what auth is being used without so much manual intervention.
This uses the new
assume_role_with_web_identity
function in paws to get the credentials, instead of having a manualcurl
. It doesn't make any functional difference.Even if we don't merge this because "why fix something that isn't broken", I'm happy for this to sit here incase it helps us add stuff or fix things later.
Other notes:
stringr::str_split(aws_role_arn, '/')[[1]][2]
giving the username - I assume ARNs don't change format?sts
call in paws needs to have dummy credentials otherwise it doesn't work (see https://github.com/paws-r/paws/issues/512) - the option to useanonymous = TRUE
as a parameter insts
isn't available in the version of paws that the AP fetches by default (because it points to an old CRAN repo). So this looks odd, but does seem to work.