Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow use of IRSA for s3 bucket configurations #820

Open
dlydiard opened this issue Apr 21, 2023 · 5 comments
Open

Allow use of IRSA for s3 bucket configurations #820

dlydiard opened this issue Apr 21, 2023 · 5 comments
Labels
enhancement New feature or request work in progress Don't merge, there's still work to do.

Comments

@dlydiard
Copy link

Instead of providing credentials for the s3 bucket, we would like to take advantage of IRSA with OpenShift
https://docs.openshift.com/rosa/rosa_architecture/rosa-sts-about-iam-resources.html

long-lived aws credentials are not desired.
@eguzki
Copy link
Member

eguzki commented May 26, 2023

Thanks for the request.

Is it about the STS authentication for S3 as defined in 3scale operator doc about s3 with STS and implemented in #792 ? Jira issue https://issues.redhat.com/browse/THREESCALE-8772

@dlydiard
Copy link
Author

dlydiard commented Jun 1, 2023

It might be possible to point the AWS_WEB_IDENTITY_TOKEN_FILE secret value to the resulting token provisioned with IRSA.

However, i still think the APIManager config can support IRSA in a more direct fashion. For example:

    fileStorage:
      simpleStorageService:
        irsa:
          enabled: true
          audience: sts.amazonaws.com
          roleArn: arn:aws:iam::....

I would then expect the operator to add the needed annotations on the appropriate ServiceAccounts to enable IRSA.

@eguzki
Copy link
Member

eguzki commented Jun 1, 2023

Could you elaborate more? I am not familiar with IRSA (cannot find it in the doc provided). Also I cannot read anything about adding annotations to a serviceaccount objects.

@dlydiard
Copy link
Author

dlydiard commented Jun 1, 2023

https://cloud.redhat.com/blog/running-pods-in-openshift-with-aws-iam-roles-for-service-accounts-aka-irsa

The TLDR:

  • Create a Role/Trust Relationship in AWS. OpenShift ROSA automatically creates the Identity Providers for you per OpenShift Cluster in AWS.
  • The ServiceAccount the 3scale PODs are using (that need s3 access), will then need the correct IRSA annotations, referencing the role ARN that was created in AWS. e.g. 
    eks.amazonaws.com/audience: sts.amazonaws.com
eks.amazonaws.com/role-arn: "arn:aws:iam::...
    This is where defining the audience/roleArn in the APIManager definition for IRSA (example) i think would make IRSA very accessible.

@briangallagher
Copy link

EPIC here dealing with improving STS support. Still in planning

@briangallagher briangallagher added enhancement New feature or request work in progress Don't merge, there's still work to do. labels Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request work in progress Don't merge, there's still work to do.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eguzki @briangallagher @dlydiard