-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EKS Pod Identity - Cannot get credentials #3062
Comments
I'm experiencing the same issue using AWS SDK version 1.12.619 |
@leroylim20 @cademarkegard sorry for the long silence. Java SDK 1.x does not support EKS Pod Identity.
|
hi @debora-ito thanks for the response however it is listed in the CHANGELOG that it is supposed to: https://github.com/aws/aws-sdk-java/blob/master/CHANGELOG.md#amazon-eks-auth . Can you please update the documentation if AWS does not have plans on supporting this feature to not mislead others in the future? |
Yes, I'll reach out to the EKS documentation team and ask to clarify here the Java SDK v1 does not support EKS Pod Identity. The changelog entry is the service release note that is automatically sent to all the AWS SDKs when a service feature is released that day. Service features usually don't require changes on the SDK side, but in the case of Pod Identities the Container Credential Provider process required some changes, and those changes were implemented in Java SDK v2 only, they won't be in v1. |
Thanks so much for the explanation! |
Hey it looks like they changed documentation yesterday: I see now EKS is supporting v1: https://docs.aws.amazon.com/pdfs/eks/latest/userguide/eks-ug.pdf#pod-id-minimum-sdk and the error keeps happening. Wondering if the problem got solved in following versions or what! cc @rijulGogia |
Ok, an update: Java SDK 1.x doesn't support EKS Pod Identity. The documentation change pointed out by @daniel-dios was made by mistake, and I asked the Documentation team to rectify - there's a banner there now saying
@cademarkegard after I asked the Doc team to explicitly add the Java v1 to the list of SDKs and highlight that is not supported, they replied saying the list should include only the SDKs that do support, and they'd like to keep it this way. So hopefully the banner will call attention to it, while it's there. I'll mark this to autoclose soon. Let me know if there's any follow-up questions. |
there is no plan to support EKS Pod identity in AWS SDK V1? rewriting entire services is not an option in most cases. |
That's correct, there's no plans to support EKS Pod Identity in V1. This aligns with the V1 deprecation path announced here, V1 will enter maintenance mode July 31, 2024. |
that's unfortunate, one would expect that maintenance mode entering in July and being in March, this would be available (general availability ends on July 30, and this was notified just 2 months ago). That way we would have a little more time to "port" components, while infrastructure can move forward with deploying EKS Pod identity. Is there any technical difficulty to implement it externally in a custom credentials provider ? Just asking because I may be tempted to attempt implementing it - unless there's a blocker or high technical toll that prevents it. |
Any update on this? |
Any technical insight about why this was discarded (technical impossibility, high difficulty?) would be highly appreciated in order to help me deciding if I can implement myself. Does this require any kind of signature that is not supported in AWS SDK v1 or something of the kin? Edit: Just to confirm, I'm looking at the code and it seems the only change needed would be to also consider |
Just to confirm: for us it's working well with this sample project https://github.com/flozano/aws-eks-identity-pod-v1 Given the minimal extent of the changes, the fact that AWS SDK v1 maintenance mode was just recently announced (at least publicly - I'm aware it was announced inside AWS much earlier) and that maintenance mode will not start until July (4 months away), I'm not sure how AWS justifies not supporting this feature. |
I'm wondering what's reasonable to expect from SDK v1 updates, given that in: we are still in General Availability period, and
just saying. |
Added support for the AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variable in the FullUriCredentialsEndpointProvider, which is the required method of obtaining the authorization token when using the EKS Pod Identity feature. Moreover, the allowed hosts validation has been extended to include the ECS and EKS host IPs, which should be allowed for http (not https) traffic. Fixes aws#3062
Added support for the AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variable in the FullUriCredentialsEndpointProvider, which is the required method of obtaining the authorization token when using the EKS Pod Identity feature. Moreover, the allowed hosts validation has been extended to include the ECS and EKS host IPs, which should be allowed for http (not https) traffic. Fixes aws#3062
Good news, everyone! We've added support for EKS Pod Identity in v1, starting in SDK version I'll reach out to the EKS documentation team again, and ask to update the list here to reflect the change. |
Describe the bug
Using Java SDK 1.12.596, the pod with Pod Identity addon is not able to get AWS credentials via SDK. On the same pod, using AWS CLI v1, it can successfully get its credentials.
On AWS CLI v1
Expected Behavior
Successfully runs the AWS command (E.g. EC2 describe-instances) and prints out its output
Current Behavior
Reproduction Steps
Run a pod with Java AWS SDK that calls AWS API with pod identity configured
Deployment YAML
Possible Solution
Fix the credential chain for Pod Identity
Additional Information/Context
No response
AWS Java SDK version used
1.12.596
JDK version used
11
Operating System and version
eclipse-temurin:11
The text was updated successfully, but these errors were encountered: