Closed armsnyder closed 4 months ago
this should be possible in the latest version of the AWS SDK for JavaScript v3, since the fromHttp
provider, documented here https://www.npmjs.com/package/@aws-sdk/credential-providers, has been added to the default credential chain.
you can also opt to use fromhttp
directly in older versions of the SDK clients.
fromHttp
is a general form of the fromContainerMetadata functionality.
Background
AWS EKS recently announced EKS Pod Identities in November, which is a new way to provide credentials to AWS SDKs when running inside EKS. Previously, the recommended way was IAM Roles for Service Accounts.
The error
I tried setting this up for my app, which is using the latest
@aws/client-s3
package (version3.490.0
). However I am getting this error:Reason for error
The reason for the error is that the EKS Pod Identity's pod mutation webhook works by setting these two environment variables on the app:
And the
AWS_CONTAINER_CREDENTIALS_FULL_URI
is rejected by this code:https://github.com/smithy-lang/smithy-typescript/blob/1ae1f4c6138f1463dd254d2b17d714a0b20c2eed/packages/credential-provider-imds/src/fromContainerMetadata.ts#L79-L82
Potential solution
Looking at other official AWS SDKs which do work with EKS Pod Identity credentials, they have some more IPs that they allow when specifying a URI:
https://github.com/aws/aws-sdk-go-v2/blob/a7db10670faedd542dc92cec6d0c602e5315a3a9/config/resolve_credentials.go#L33-L52
I think we just need to make sure these are all supported here as well.