-
Notifications
You must be signed in to change notification settings - Fork 643
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Credentials: Support assuming role via WebIdentityTokenFile #1183
Conversation
8866c7d
to
50f8b85
Compare
50f8b85
to
99323bc
Compare
This supports the new AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment variables, that allow exchanging OIDC tokens given to pods in EKS for access tokens. Fixes minio#1156
PTAL @sinhaashish @kanagarajkm |
Hi @harshavardhana @sinhaashish @kanagarajkm, do you have any news about this PR? It's a great feature as EKS + WebIdentity is the way to go for secure IAM credentials on AWS. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay in review. LGTM.
Awesome, thank you |
Do you know when could we see it in v6.0.45 @kanagarajkm ? |
@jujugrrr soon no ETA |
thank you
…On Tue, 7 Jan 2020 at 17:17, Harshavardhana ***@***.***> wrote:
@jujugrrr <https://github.com/jujugrrr> soon no ETA
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1183?email_source=notifications&email_token=AA6ICL4KENIS3JWIMVNEVO3Q4S2J7A5CNFSM4JLPIFYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIJTHFI#issuecomment-571683733>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA6ICL3M4BDP5LS4TYMHRCDQ4S2J7ANCNFSM4JLPIFYA>
.
|
Now that minio/minio-go#1183 has been merged that supports Web Identity auth in the Minio Client we need to use a recent version of Minio that includes that change that was released in v6.0.45.
This supports the new
AWS_WEB_IDENTITY_TOKEN_FILE
andAWS_ROLE_ARN
environment variables that allow exchanging OIDC tokens given to pods in EKS for access tokens.I haven't introduced any new API for this, as I figured the use-case for this will be solely EKS. So this privately extends the existing
STSWebIdentity
credential provider for AWS use and is only activated when the correct environment variables are provided. Calling NewIAM() is all that is required.I haven't actually tested this in an AWS environment yet, but figured it was worth opening for discussion early.
@barryib You requested this in #1156 - are you able to test in an AWS environment?