AWS IAM: Support for AWS EKS ServiceAccount roles for CloudWatch and S3 image upload #21594
Conversation
|
I realized this change is probably needed in the s3uploader for images as well. Perhaps the AWS configuration should be centralized into a single pkg that both the cloudwatch executor, the image uploader and any potential future interactions can re-use? |
|
Thanks for applying my suggestions, I'm just waiting to get access to an EKS cluster so I can test. |
use WebIdentityRole to assume another role
|
Handing this over to @ryantxu since he needs to look it over too. |
|
@patstrom signed |
|
Is there anything I can do to speed this up a little bit? Hit me! How I see it @aknuds1 currently has some changes requested. Can I help you testing or something? |
|
I've already addressed the requested changes. Perhaps @aknuds1 needs to mark them as resolved as well? |
|
|
|
@ryantxu What is the status on this? |
|
@ryantxu When may you review this? |
|
How does this work in combination with configuring the assume role ARN for the cloudwatch datasource? Can we use the EKS service account as the source profile to assume role with the AWS IAM role specified in the datasource? I'm trying to see if once this is fixed if I can use the SA IAM role to allow assuming into a different IAM role per cloudwatch datasource so I can use a single grafana with multiple AWS accounts. |
| @@ -60,6 +61,7 @@ func GetCredentials(dsInfo *DatasourceInfo) (*credentials.Credentials, error) { | |||
| &credentials.EnvProvider{}, | |||
| &credentials.SharedCredentialsProvider{Filename: "", Profile: dsInfo.Profile}, | |||
| remoteCredProvider(stsSess), | |||
There was a problem hiding this comment.
@patstromm, could you set webIdentityProvider before remoteCredProvider? It's likely that the EC2 instances have a role attached to it, so this order will prioritise the EC2 instance role over the webIdentity. It's better to try first to use the WebIdentity
The EKS service account role can assume a role as well if you define the arn, the code flow is: @patstrom I tested the code in our systems, could you address the 2 issues above so that this can be reviewed and merged? |
|
@dnascimento yep, I see now, looks like it should work. I'll build this locally and see if I can get it to work with multiple roles. Thanks. |
|
I currently have a WIP of the "proper" way here, where I add a I plan to open a separate MR when it's ready (hopefully later this week). |
|
@patstrom -- the new approach looks great. thanks for the effort |
|
Synced your branch with Grafana master, to fix CI issues. Hope you don't mind! |
|
This took a while, but we finally got it merged - thank you for contributing to Grafana! |
|
Cheers! 🎉 You're not getting rid of me that easily though. I just opened a new PR with the "proper" way to solve this that also includes some other fixes to the Cloudwatch data source executor. |
marefr
changed the title
marefr
changed the title
* Replicate SDK behaviour for WebIdentityRole Fix #20473 * Use WebIdentityRole in s3 uploader as well * Use consistent casing * use WebIdentityRole to assume another role Co-authored-by: eV <ev@7pr.xyz>
marefr
changed the title
What this PR does / why we need it:
This PR replicates (most of) the behavior of
aws-sdk-gowhen fetching a WebIdentityRole such as they are used in IAM roles for service account in EKS.The reason for the "(most of)" qualifier is that this will only read the environment variables, so if e.g a
role_session_nameis configured in a configuration file somewhere it won't be picked up. I suspect this won't be much of a problem since all documentation and whatnot for EKS IAM roles for Service Accounts exclusively uses those environment variables.As discussed in the issue the "proper" way to fix this would probably be to always use the default credentials chain unless a specific way is specified in which case only that way should be used.
I've tried this out in an EKS cluster with a standard setup. In other words I've created a deployment and a service account, linked them together, annotated the service account with
eks.amazonaws.com/role-arnand added the necessary trust policies on the role and I can confirm it manages to find the credentials.Which issue(s) this PR fixes:
Fix #20473