search

spring-attic / spring-cloud-aws

All development has moved to https://github.com/awspring/spring-cloud-aws Integration for Amazon Web Services APIs with Spring
https://awspring.io/
Apache License 2.0
589 stars 376 forks source link

aws configuration using service account in eks #771

Closed jainhitesh9998 closed 3 years ago

jainhitesh9998 commented 3 years ago

I've associated a role with service account and attached it with an eks deployment. is there a way to use token from that to authorize aws sns messaging instead of providing the access_key and secret_key

AWS_ROLE_ARN=some_arn AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

are present in my pod.

neiljbrown commented 3 years ago

Hi, yes, recent versions of the Amazon SDK(both 1.x and 2.x) include a class of AWSCredentialsProvider (WebIdentityTokenCredentialsProvider) that supports AWS clients that are running in a Pod deployed on EKS authenticating their requests using the K8s OIDC provider's web identity token and assuming the IAM role. The WebIdentityTokenCredentialsProvider is also part of the default credentials provider (DefaultCredentialsProviderChain) that's used by AWS clients. Therefore if you've configured and deployed your K8s resources correctly, are using the latest version of the SDK, and have your AWS clients configured with the default creds provider, it should just work.

For more details see the EKS User Guide section https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

Neil.

jainhitesh9998 commented 3 years ago

Hi, yes, recent versions of the Amazon SDK(both 1.x and 2.x) include a class of AWSCredentialsProvider (WebIdentityTokenCredentialsProvider) that supports AWS clients that are running in a Pod deployed on EKS authenticating their requests using the K8s OIDC provider's web identity token and assuming the IAM role. The WebIdentityTokenCredentialsProvider is also part of the default credentials provider (DefaultCredentialsProviderChain) that's used by AWS clients. Therefore if you've configured and deployed your K8s resources correctly, are using the latest version of the SDK, and have your AWS clients configured with the default creds provider, it should just work.

For more details see the EKS User Guide section https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

Neil.

We have a vert.x application which is working fine with the k8s iam config and is able to talk to the permitted aws resources using the default credentials chain. But for some reason spring-cloud-messaging-aws is always failing stating it requires access key and secret. Is there any specific config needed. We have enabled default credentials chain though.

jainhitesh9998 commented 3 years ago

Thanks, changed the configuration to use the WebIdentityTokenCredentialsProvider and it worked.