-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump AWS SDK to support sts:AssumeRoleWithWebIdentity #183
Conversation
Thanks for the contribution! Would you mind redoing this update on top of the changes made in #182? |
In order to support native AWS IAM integration with Kubernetes, the AWS SDK needs to be bumped to v1.23.13 at least. This PR bumps the AWS SDK to v1.24.1. More info: https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/ Action performed: dep ensure -update github.com/aws/aws-sdk-go Signed-off-by: Simon Wydooghe <simon@wydooghe.com>
@samuelkarp Redid SDK update and rebased. |
@samuelkarp Any chance of getting this merged some time soon? I'm blocked on getting native AWS IAM support into kaniko until amazon-ecr-credential-helper gets a new release containing an updated SDK (GoogleContainerTools/kaniko#780). |
@siwyd have you got this working? I tried building off your fork but the credential helper seems to be failing to get a credential chain when running in EKS with the appropriate service account. Using the AWS CLI in the same pod I can see that the pod can get credentials via the web identity method so it feels like either there's something missing here or I've done something wrong in using the credential helper in this way. |
@tomelliff Yeah, it works for me. I've only used it in combination with kaniko though. Can you try setting these environment variables perhaps?
|
What is the status on this? |
@patstrom No idea. All I can do is ping @samuelkarp :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@siwyd Apologies for the delay and thanks for the contribution! @micahhausler was able to help me test this and it does appear to work.
@samuelkarp Awesome, thanks! Is it possible to cut a release for this so other tools can incorporate the new binary? |
It looks like Kaniko is installing the credential helper through |
@samuelkarp Ah, didn't know, thanks! I'll see if maybe they can cut a new kaniko release. |
By bumping the credential helper version we allow user to use the EKS IRSA feature (awslabs/amazon-ecr-credential-helper#183)
By bumping the credential helper version we allow user to use the EKS IRSA feature (awslabs/amazon-ecr-credential-helper#183)
By bumping the credential helper version we allow user to use the EKS IRSA feature (awslabs/amazon-ecr-credential-helper#183)
Description of changes:
In order to support native AWS IAM integration with Kubernetes,
the AWS SDK needs to be bumped to v1.23.13 at least. This PR
bumps the AWS SDK to v1.24.1.
More info: https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
Action performed: dep ensure -update github.com/aws/aws-sdk-go
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.