AWS IRSA - IAM roles for service accounts
Closed this issue Β· 8 comments
is it possible to use IAM roles for service accounts for s3, sqs ?
we wanted to configure for engine a service account with eks annotation for IRSA but we didn't know if the workflow can handle the access with
env | grep "aws"
AWS_ROLE_ARN=arn:aws:iam::xxxx:role/fme-engine
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
@haarchri I don't believe we support roles, only IAM users with an AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
If you're connecting to S3, SQS within a workspace, using a Connector transformer you should be able to set the Credential Source to System and it would pick up those two env vars.
From my understanding, the Retrieve security credentials from instance metadata section has a way to generate an access key for a role but with a much shorter expiration time and you don't have to manage them the same way you do for users.
If you need support with in FME for roles, please add an idea to the FME Community or submit a support case with details about your use case.
@jlutherthomas According to https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html this should work out of the box if the application uses the stated AWS SDK version. Can you please confirm whether this is the case?
we also added an request in the community https://community.safe.com/s/idea/0874Q000000LP4GQAW/detailβββββββ
@tobilg @haarchri The FME packages (SQSConnector, S3Connector) rely on the python boto3 library that's included with FME. boto3 1.16.36, botocore 1.19.36
However, looking at the credential env vars you supplied above, I don't see them as supported in the boto3 documentation although our SDK version are higher than what's on the link @tobilg shared.
I'll have a look through the idea you posted on the FME Community @haarchri, thanks for adding a lot of information.
@jlutherthomas thanks for the fast feedback. I think the info you're searching for is on the page of the boto3 docs you mentioned, under the "Assume Role With Web Identity Provider" section.