You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If applicable, I have added tests that prove my fix is effective or that my feature works.
--> I didn't manage to add the correct test, however I didn't find any for webIdentity auth neither
I have updated any relevant documentation (e.g. README.md).
--> there is a nice .png for which I didn't have the source to add _fetchEKSPodIdentityCredentials in the list
Thank you for your contribution, @tieum 🎉 I will make some time to understand and review this week.
Based on my quick look, can you confirm some things for me?
This change will require the addition of a new config variable AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE?
Can you tell me a bit more about your use case? I have not tried this in eks and I'm curious to understand how widely applicable this might be
The AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environnement variable is available in the container when using EKS Pod Identity, the same way than AWS_WEB_IDENTITY_TOKEN_FILE is available when using IRSA
I've updated the getting_started.md on how to set it up
EKS Pod Identity was released in December 2023 and provides an alternative way to grant workload access to AWS, the differences with IAM Roles for Services Accounts can be found here, a Datadog Security Labs blog post also sums it up nicely
Thank you for the explanation and for the very clean pull request. I think this is a great addition to the library. I have two requests before we merge:
Can you try to add a test for this? There's an example to follow here. I know that our test suite isn't very standard since it's run using the njs binary so let me know if you have questions or would like me to jump in.
Can you take a look at this file and see if we need to look for the file in the VM case too? I'm guessing not since this is EKS but I'd like to get your more informed take on whether it could be necessary in some situations.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
Add support of EKS pod identities
Checklist
I have read the contributing guidelines.
I have signed the F5 Contributor License Agreement (CLA).
If applicable, I have added tests that prove my fix is effective or that my feature works.
--> I didn't manage to add the correct test, however I didn't find any for webIdentity auth neither
I have updated any relevant documentation (e.g.
README.md).--> there is a nice .png for which I didn't have the source to add
_fetchEKSPodIdentityCredentialsin the list