[Question] AWS IAM Roles for Service Accounts (IRSA)

Question

[Question] AWS IAM Roles for Service Accounts (IRSA)

andreafspeziale opened this issue 2 years ago · 1 comments

andreafspeziale commented 2 years ago

Hello and thanks for your hard work!

I would like to deploy the proxy in a Kubernetes cluster which leverages on service accounts.

This means that the proxy will run in a pod in which the following AWS env variables will be injected:

AWS_ROLE_ARN
AWS_WEB_IDENTITY_TOKEN_FILE
AWS_REGION

Does the proxy support somehow such access control method?

I created this simple project to play around with OpenSearch and the OS client should be created extracting the AWS_ACCESS_KEY_ID and the AWS_SECRET_ACCESS_KEY starting from the above env variables.

This can be achieved using a little npm package @aws-sdk/credential-provider-node

import { fromTokenFile } from '@aws-sdk/credential-providers';
...
interface AwsCredential {
  accessKeyId: string;
  secretAccessKey: string;
  sessionToken?: string;
}

const credentials: AwsCredential = await fromTokenFile({
  roleArn: process.env.AWS_ROLE_ARN as string,
  webIdentityTokenFile: process.env.AWS_WEB_IDENTITY_TOKEN_FILE as string,
})();

Is it something possible? If not, would it be hard to add as feature? I'm available even if I never used Go 😄 (@alvinlin123)

Answer 1 · 2023-04-20T11:11:08.000Z

Digging in the code and after some try and fail this seems possible and working, thanks anyway!