feat: add EKS Pod Identity support (#282) #333
Conversation
e21bd29 to
a2b3c0f
Compare
a2b3c0f to
ae95142
Compare
ae95142 to
f8275c9
Compare
There was a problem hiding this comment.
Thank you @andreasbros
I am not familiar with this AWS feature, but this PR looks very well commented, tested and follows the existing patterns in the crate. It looks good to me 👏
It seems there is a small error when compiling for wasm that the CI found, but otherwise this PR is good to merge from my perspective
b8681d6 to
ab1dd2a
Compare
|
Can we please not rebase PRs after review, I will now have to do a fresh review on this PR.
We should use tokio:fs, std::fs shouldn't be used in async contexts (unless wrapped in spawn_blocking, see LocalFilesystem), it just needs to be appropriately gated - WASM contexts don't have filesystem access |
|
@tustvold I changed to
My understanding from the README doc is that entire feature |
|
I took the liberty of pushing a quick fix to avoid doing blocking IO within the credential provider, using the same trick we use for LocalFilesystem (which is also what tokio::fs does under the hood). I don't have a means to test this, but if you are happy it is working I'm happy to get this merged |
thanks @tustvold |
Which issue does this PR close?
Closes #282
Rationale for this change
This PR extends the
AmazonS3Builderso that it recognises and supports EKS Pod Identity credentials using the two environment variables:AWS_CONTAINER_CREDENTIALS_FULL_URIAWS_CONTAINER_AUTHORIZATION_TOKEN_FILEPreviously, the builder only considered ECS task credentials (
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI), instance metadata, static credentials, or web identity tokens. Adding EKS Pod Identity support aligns it with modern Kubernetes IRSA setups, allowing pods to retrieve AWS credentials from an EKS endpoint without needing to mount AWS credentials directly.What changes are included in this PR?
New Config Keys
Adds
AmazonS3ConfigKey::ContainerCredentialsFullUriandAmazonS3ConfigKey::ContainerAuthorizationTokenFileto the config-based approach, for parsing EKS Pod Identity settings. The builder picks these keys from environment variablesAWS_CONTAINER_CREDENTIALS_FULL_URIandAWS_CONTAINER_AUTHORIZATION_TOKEN_FILE.EKSPodCredentialProvider
Introduces an
EKSPodCredentialProvider, which is constructed when both config keys are set. It uses a bearer token (read from the specified file) to fetch short-lived credentials from the EKS credential endpoint.Builder Logic
Adjusts
AmazonS3Builder::buildto give priority to EKS credentials if both the full URI and token file are specified. It checks environment variables infrom_envor direct calls towith_config, falling back to ECS or instance metadata if EKS variables are absent.Tests
Adds tests to confirm EKS credentials build and provider.
Are there any user-facing changes?
New EKS Credential Support
Users in EKS can now set
AWS_CONTAINER_CREDENTIALS_FULL_URIandAWS_CONTAINER_AUTHORIZATION_TOKEN_FILE, and the builder automatically fetches credentials.Configuration Keys
Two new config keys are recognised by the builder:
AmazonS3ConfigKey::ContainerCredentialsFullUriAmazonS3ConfigKey::ContainerAuthorizationTokenFileThese changes are backwards-compatible: existing ECS, static credentials, or IMDS-based setups continue to work unchanged. No additional user steps are required unless they specifically opt to use EKS Pod Identity.