barman-cli-cloud does not work with IMDSv2 #949
Description
Hi,
I want to be able to ship backups to S3. In AWS we use recommended IMDSv2 (http token required) on all of our EC2 instances, we do not store AWS credentials on any instances or containers, this is not recommended, we only use IRSA to auth to other AWS services.
barman-cli-cloud only works like this if i set http-token as optional in my EC2 metadata config, see here for more details:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html
Please can some logic be added to fix this to work with a token required?
**Updated
add flag for aws irsa:
s3_arguments.add_argument(
"--aws-irsa",
help="bypasses credentials/profile and uses iam service account",
action="store_true",
default=False,
)and then just condition to use irsa or not, which can use local environment variables and sts to get a session:
# barman/cloud_providers/aws_s3.py
if self.aws_irsa:
client = boto3.client('sts')
with open(os.getenv("AWS_WEB_IDENTITY_TOKEN_FILE"), 'r') as content_file:
web_identity_token = content_file.read()
response = client.assume_role_with_web_identity(
RoleArn=os.environ['AWS_ROLE_ARN'],
RoleSessionName='barman',
WebIdentityToken=web_identity_token,
# DurationSeconds=3600 # defaults to an hour, must not be greater than
# the iam role max duration session (this is also default 1 hour)
)
credentials = response['Credentials']
session = boto3.Session( aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'])
else:
session = boto3.Session(profile_name=self.profile_name)
self.s3 = session.resource("s3", endpoint_url=self.endpoint_url, config=config)thanks!