Open alghanmi opened 2 months ago
Adding a new method to provide creds seems fine. Feel free to contribute if you'd like. OPA does not vendor the SDK but you can see the implementations of existing providers for reference. Also the code here might be helpful.
Kindly ask if there is somebody working for this issue? If not,I'm glad to undertake it. I ‘m relatively new to contributing to open source projects, but I am eager to learn and will do my best to complete this task. Thanks ! @ashutosh-narkar
Sure @wangchenjie629 if you'd like to work on this please go ahead. Please let us know if you have any questions. Thanks.
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.
What is the underlying problem you're trying to solve?
Currently, OPA supports AWS Signatures using IAM Roles for Service Accounts (IRSA) in EKS to sign and retrieve bundles. EKS Pod Identities is new way to manage permissions in EKS and would like OPA to add support for it.
Describe the ideal solution
I don't know if this solution is inline with the OPA project policies, but if OPA used the AWS SDK to access S3 an SDK upgrade would have added support for EKS Pod Identities. That said, I understand if the project does not want to uptake the SDK.
Describe a "Good Enough" solution
Similar to OPA's support of IRSA, Pod Identities export the
AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
that can be used to retrieve the auth token.Additional Context
In November 2023, AWS announced EKS Pod Identity which is a a new feature that simplifies Kubernetes applications to obtain AWS IAM permissions. It is in a way the successor to IAM Roles for Service Accounts (IRSA). Many Kubernetes administrators are migrating from IRSA to Pod Identities for its simplified workflow, the ability to share roles across clusters and its support of session tags.