Add Amazon EKS Pod Identity support

Question

Add Amazon EKS Pod Identity support

jonsbun opened this issue a year ago · 3 comments

AWS released a new feature, EKS Pod Identity, that aims to simplify granting AWS access to pods running in an EKS cluster. This new feature is complementary to IAM roles for service accounts (IRSA), and provides a new alternative way to securely grant AWS permissions to pods.

In short, Amazon EKS Pod Identity injects the AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variables into pods which currently seems like unsupported by minio-go.

Deep dive into the new Amazon EKS Pod Identity feature: https://securitylabs.datadoghq.com/articles/eks-pod-identity-deep-dive

Answer 1 · 2024-02-22T08:55:55.000Z

We already support

pkg/credentials/iam_aws.go: token := os.Getenv("AWS_CONTAINER_AUTHORIZATION_TOKEN")
pkg/credentials/iam_aws.go: fullURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_FULL_URI")
pkg/credentials/iam_aws.go: relativeURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")

Answer 2 · 2024-02-22T09:20:27.000Z

@harshavardhana AWS_CONTAINER_CREDENTIALS_FULL_URI is defined. However, I can't find anything about AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE variable.

If I am correct, minio-go supports container credential provider only for Amazon ECS, but not Amazon EKS which also requires AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE variable.

https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html

Answer 3 · 2024-02-22T12:38:05.000Z

Feel free to add it @jonsbun