awslabs/mountpoint-s3

Support for Web Identity Token authentication

Closed this issue · 2 comments

Tell us more about this new feature.

We're interested in using OIDC tokens as the identity medium for mountpoint. In Python, this flow looks like:

def get_s3_client(role_arn):
    sts_client = boto3.client("sts")

    # Assume role with Web Identity
    credential_response = sts_client.assume_role_with_web_identity(
        RoleArn=role_arn, RoleSessionName="OIDCSession", WebIdentityToken=IDENTITY_TOKEN_HERE
    )

    # Extract credentials
    credentials = credential_response["Credentials"]
    return boto3.client(
        "s3",
        aws_access_key_id=credentials["AccessKeyId"],
        aws_secret_access_key=credentials["SecretAccessKey"],
        aws_session_token=credentials["SessionToken"],
    )

We can hack this functionality on by making the sts flow ourselves, but we're wondering if this is something the mountpoint team has on the roadmap - it would be a big unlock for us.

Hi @pawalt, thanks for creating this issue.

Mountpoint already supports using web identity tokens using the AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment variables.

See the AWS docs for more information.

I'll be closing this, but if you find any issues running Mountpoint with OIDC, feel free to add additional comments or create a new issue.

@muddyfish Oh great I didn't realize this. Thanks!