Support for AWS EKS IRSA feature

[iptizer]

This is a feature request/ asking whether PR would be accepted for the following environment:

• self-hosted runners
• AWS EKS Kubernetes cluster

When running a self hosted runner inside an AWS EKS Kubernetes cluster AWS has a feature called IRSA (IAM roles for service accounts). This feature allows accessing the AWS API directly from a pod.With this feature different environment variables + different API calls are used.
See nr 3 (Web Identity Token credentials from the environment or container) in credentials precedence.

Trigger are the following two env variables:

• 'AWS_ROLE_ARN'
• 'AWS_WEB_IDENTITY_TOKEN_FILE'

The implementation could look as follows:

• if variables are set
  • execute aws sts assume-web-role-identity which will then return AWS_SECRET_KEYS & others.

It will require a rewrite of these lines + making $INPUT_ACCESS_KEY & $INPUT_SECRET_ACCESS_KEY optional. But it should be backwards compatible.

How do we proceed?

[elgohr]

Hey, sorry for the late reply. I have to think about that...

[elgohr]

Sure, why not 👍