-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[s3-repository] Support IAM roles for Kubernetes service accounts #81255
Conversation
4c753f2
to
199892a
Compare
3923d93
to
db09282
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay Artem - I've left more comments but it looks good overall.
modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Show resolved
Hide resolved
|
||
public void shutdown() { | ||
if (credentialsProvider != null) { | ||
credentialsProvider.close(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe use IOUtils.close()
here so that all objects are teared down but an exception is still retrhrown?
...les/repository-s3/src/test/java/org/elasticsearch/repositories/s3/AwsS3ServiceImplTests.java
Show resolved
Hide resolved
@elasticmachine update branch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the extra iterations Artem. I've left some minor comments - feel free to address them or not.
modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Outdated
Show resolved
Hide resolved
modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Outdated
Show resolved
Hide resolved
modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Show resolved
Hide resolved
...les/repository-s3/src/test/java/org/elasticsearch/repositories/s3/AwsS3ServiceImplTests.java
Show resolved
Hide resolved
...les/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3ClientSettingsTests.java
Show resolved
Hide resolved
@elasticmachine update branch |
@elasticmachine update branch |
Thank you very much, Tanguy! |
…astic#81255) There have been many requests to support repository-s3 authentication via IAM roles in Kubernetes service accounts. The AWS SDK is supposed to support them out of the box with the aws-java-sdk-sts library. Unfortunately, we can't use WebIdentityTokenCredentialsProvider from the SDK. It reads the token from AWS_WEB_IDENTITY_TOKEN_FILE environment variable which is usually mounted to /var/run/secrets/eks.amazonaws.com/serviceaccount/token and the S3 repository doesn't have the read permission to read it. We don't want to hard-code a file permission for the repository, because the location of AWS_WEB_IDENTITY_TOKEN_FILE can change at any time in the future and we would also generally prefer to restrict the ability of plugins to access things outside of their config directory. To overcome this limitation, this change adds a custom WebIdentityCredentials provider that reads the service account from a symlink to AWS_WEB_IDENTITY_TOKEN_FILE created in the repository's config directory. We expect the end user to create the symlink to indicate that they want to use service accounts for authentification. Service accounts are checked and exchanged for session tokens by the AWS STS. To test the authentification flow, this change adds a test fixture which mocks the assume-role-with-web-identity call to the service and returns a response with test credentials. Fixes elastic#52625
💚 Backport successful
|
…ts (#81255) (#82796) There have been many requests to support repository-s3 authentication via IAM roles in Kubernetes service accounts. The AWS SDK is supposed to support them out of the box with the aws-java-sdk-sts library. Unfortunately, we can't use WebIdentityTokenCredentialsProvider from the SDK. It reads the token from AWS_WEB_IDENTITY_TOKEN_FILE environment variable which is usually mounted to /var/run/secrets/eks.amazonaws.com/serviceaccount/token and the S3 repository doesn't have the read permission to read it. We don't want to hard-code a file permission for the repository, because the location of AWS_WEB_IDENTITY_TOKEN_FILE can change at any time in the future and we would also generally prefer to restrict the ability of plugins to access things outside of their config directory. To overcome this limitation, this change adds a custom WebIdentityCredentials provider that reads the service account from a symlink to AWS_WEB_IDENTITY_TOKEN_FILE created in the repository's config directory. We expect the end user to create the symlink to indicate that they want to use service accounts for authentification. Service accounts are checked and exchanged for session tokens by the AWS STS. To test the authentification flow, this change adds a test fixture which mocks the assume-role-with-web-identity call to the service and returns a response with test credentials. Fixes #52625
There have been many requests to support
repository-s3
authentication via IAM roles in Kubernetes service accounts.The AWS SDK is supposed to support them out of the box with the
aws-java-sdk-sts
library. Unfortunately, we can't useWebIdentityTokenCredentialsProvider
from the SDK. It reads the token fromAWS_WEB_IDENTITY_TOKEN_FILE
environment variable which is usually mounted to/var/run/secrets/eks.amazonaws.com/serviceaccount/token
and the S3 repository doesn't have the permissions to read it. We don't want to hard-code a file permission for the S3 repository, because the location ofAWS_WEB_IDENTITY_TOKEN_FILE
can change at any time in the future and we would also generally prefer to restrict the ability of plugins to access things outside of their config directory.To overcome this limitation, this change adds a custom
WebIdentityCredentials
provider that reads the service account from a symlink toAWS_WEB_IDENTITY_TOKEN_FILE
created in the repository's config directory. We expect the end user to create the symlink to indicate that they want to use service accounts for authentication like this:Service accounts are checked and exchanged for session tokens by the AWS STS. To test the authentification flow, this change adds a test fixture which mocks the
assume-role-with-web-identity
call to the service and returns a response with test credentials.Fixes #52625