Support for Web Identity Token authentication
Closed this issue · 2 comments
pawalt commented
Tell us more about this new feature.
We're interested in using OIDC tokens as the identity medium for mountpoint. In Python, this flow looks like:
def get_s3_client(role_arn):
sts_client = boto3.client("sts")
# Assume role with Web Identity
credential_response = sts_client.assume_role_with_web_identity(
RoleArn=role_arn, RoleSessionName="OIDCSession", WebIdentityToken=IDENTITY_TOKEN_HERE
)
# Extract credentials
credentials = credential_response["Credentials"]
return boto3.client(
"s3",
aws_access_key_id=credentials["AccessKeyId"],
aws_secret_access_key=credentials["SecretAccessKey"],
aws_session_token=credentials["SessionToken"],
)
We can hack this functionality on by making the sts
flow ourselves, but we're wondering if this is something the mountpoint team has on the roadmap - it would be a big unlock for us.
muddyfish commented
Hi @pawalt, thanks for creating this issue.
Mountpoint already supports using web identity tokens using the AWS_WEB_IDENTITY_TOKEN_FILE
and AWS_ROLE_ARN
environment variables.
See the AWS docs for more information.
I'll be closing this, but if you find any issues running Mountpoint with OIDC, feel free to add additional comments or create a new issue.
pawalt commented
@muddyfish Oh great I didn't realize this. Thanks!