Closed jainhitesh9998 closed 3 years ago
Hi, yes, recent versions of the Amazon SDK(both 1.x and 2.x) include a class of AWSCredentialsProvider (WebIdentityTokenCredentialsProvider) that supports AWS clients that are running in a Pod deployed on EKS authenticating their requests using the K8s OIDC provider's web identity token and assuming the IAM role. The WebIdentityTokenCredentialsProvider is also part of the default credentials provider (DefaultCredentialsProviderChain) that's used by AWS clients. Therefore if you've configured and deployed your K8s resources correctly, are using the latest version of the SDK, and have your AWS clients configured with the default creds provider, it should just work.
For more details see the EKS User Guide section https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
Neil.
Hi, yes, recent versions of the Amazon SDK(both 1.x and 2.x) include a class of AWSCredentialsProvider (WebIdentityTokenCredentialsProvider) that supports AWS clients that are running in a Pod deployed on EKS authenticating their requests using the K8s OIDC provider's web identity token and assuming the IAM role. The WebIdentityTokenCredentialsProvider is also part of the default credentials provider (DefaultCredentialsProviderChain) that's used by AWS clients. Therefore if you've configured and deployed your K8s resources correctly, are using the latest version of the SDK, and have your AWS clients configured with the default creds provider, it should just work.
For more details see the EKS User Guide section https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
Neil.
We have a vert.x application which is working fine with the k8s iam config and is able to talk to the permitted aws resources using the default credentials chain. But for some reason spring-cloud-messaging-aws is always failing stating it requires access key and secret. Is there any specific config needed. We have enabled default credentials chain though.
Thanks, changed the configuration to use the WebIdentityTokenCredentialsProvider and it worked.
I've associated a role with service account and attached it with an eks deployment. is there a way to use token from that to authorize aws sns messaging instead of providing the access_key and secret_key
AWS_ROLE_ARN=some_arn AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
are present in my pod.