search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.3k stars 1.29k forks source link

Support EKS Pod Identities for Signing S3 Bundle Requests #6724

Open alghanmi opened 2 months ago

alghanmi commented 2 months ago

What is the underlying problem you're trying to solve?

Currently, OPA supports AWS Signatures using IAM Roles for Service Accounts (IRSA) in EKS to sign and retrieve bundles. EKS Pod Identities is new way to manage permissions in EKS and would like OPA to add support for it.

Describe the ideal solution

I don't know if this solution is inline with the OPA project policies, but if OPA used the AWS SDK to access S3 an SDK upgrade would have added support for EKS Pod Identities. That said, I understand if the project does not want to uptake the SDK.

Describe a "Good Enough" solution

Similar to OPA's support of IRSA, Pod Identities export the AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE that can be used to retrieve the auth token.

Additional Context

In November 2023, AWS announced EKS Pod Identity which is a a new feature that simplifies Kubernetes applications to obtain AWS IAM permissions. It is in a way the successor to IAM Roles for Service Accounts (IRSA). Many Kubernetes administrators are migrating from IRSA to Pod Identities for its simplified workflow, the ability to share roles across clusters and its support of session tags.

ashutosh-narkar commented 2 months ago

Adding a new method to provide creds seems fine. Feel free to contribute if you'd like. OPA does not vendor the SDK but you can see the implementations of existing providers for reference. Also the code here might be helpful.

wangchenjie629 commented 1 month ago

Kindly ask if there is somebody working for this issue? If not,I'm glad to undertake it. I ‘m relatively new to contributing to open source projects, but I am eager to learn and will do my best to complete this task. Thanks ! @ashutosh-narkar

ashutosh-narkar commented 1 month ago

Sure @wangchenjie629 if you'd like to work on this please go ahead. Please let us know if you have any questions. Thanks.

stale[bot] commented 1 week ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.