Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump AWS SDK to support sts:AssumeRoleWithWebIdentity #183

Merged
merged 1 commit into from Oct 24, 2019
Merged

Bump AWS SDK to support sts:AssumeRoleWithWebIdentity #183

merged 1 commit into from Oct 24, 2019

Conversation

siwyd
Copy link
Contributor

@siwyd siwyd commented Sep 18, 2019
edited

Description of changes:

In order to support native AWS IAM integration with Kubernetes,
the AWS SDK needs to be bumped to v1.23.13 at least. This PR
bumps the AWS SDK to v1.24.1.

More info: https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

Action performed: dep ensure -update github.com/aws/aws-sdk-go

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

This was referenced Sep 18, 2019
Merged
Closed
@samuelkarp
Copy link
Contributor

Thanks for the contribution! Would you mind redoing this update on top of the changes made in #182?

@siwyd
Bump AWS SDK to support sts:AssumeRoleWithWebIdentity
73edd05 
In order to support native AWS IAM integration with Kubernetes,
the AWS SDK needs to be bumped to v1.23.13 at least. This PR
bumps the AWS SDK to v1.24.1.

More info: https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

Action performed: dep ensure -update github.com/aws/aws-sdk-go

Signed-off-by: Simon Wydooghe <simon@wydooghe.com>
@siwyd
Copy link
Contributor Author

siwyd commented Sep 18, 2019

@samuelkarp Redid SDK update and rebased.

@siwyd
Copy link
Contributor Author

siwyd commented Sep 23, 2019

@samuelkarp Any chance of getting this merged some time soon? I'm blocked on getting native AWS IAM support into kaniko until amazon-ecr-credential-helper gets a new release containing an updated SDK (GoogleContainerTools/kaniko#780).

@tomelliff
Copy link

@siwyd have you got this working?

I tried building off your fork but the credential helper seems to be failing to get a credential chain when running in EKS with the appropriate service account. Using the AWS CLI in the same pod I can see that the pod can get credentials via the web identity method so it feels like either there's something missing here or I've done something wrong in using the credential helper in this way.

@siwyd
Copy link
Contributor Author

siwyd commented Oct 3, 2019

@tomelliff Yeah, it works for me. I've only used it in combination with kaniko though. Can you try setting these environment variables perhaps?

AWS_EC2_METADATA_DISABLED=true
AWS_SDK_LOAD_CONFIG=true

@patstrom
Copy link

What is the status on this?

@siwyd
Copy link
Contributor Author

siwyd commented Oct 18, 2019

@patstrom No idea. All I can do is ping @samuelkarp :)

samuelkarp
samuelkarp approved these changes Oct 24, 2019
View reviewed changes
Copy link
Contributor

@samuelkarp samuelkarp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@siwyd Apologies for the delay and thanks for the contribution! @micahhausler was able to help me test this and it does appear to work.

@samuelkarp samuelkarp merged commit 73edd05 into awslabs:master Oct 24, 2019
@siwyd
Copy link
Contributor Author

siwyd commented Oct 24, 2019

@samuelkarp Awesome, thanks! Is it possible to cut a release for this so other tools can incorporate the new binary?

@siwyd siwyd deleted the aws-sdk-bump branch October 24, 2019 09:35
@samuelkarp
Copy link
Contributor

It looks like Kaniko is installing the credential helper through go get, so it should be able to retrieve the master branch and build it. As to a full release: I don't know when I'll have the chance to get one out. (The barrier to cutting releases and publishing binaries is a lot lower than last time since there's now a good amount of automation, but it hasn't gone to zero.)

@siwyd
Copy link
Contributor Author

siwyd commented Oct 28, 2019

@samuelkarp Ah, didn't know, thanks! I'll see if maybe they can cut a new kaniko release.

@samuelkarp samuelkarp mentioned this pull request Jan 2, 2020
Merged
Rowern added a commit to Rowern/makisu that referenced this pull request Apr 1, 2020
@Rowern
Bump AWS credential helper to latest version
a0fef20 
By bumping the credential helper version we allow user to use the EKS IRSA feature (awslabs/amazon-ecr-credential-helper#183)
@Rowern Rowern mentioned this pull request Apr 1, 2020
Merged
Rowern added a commit to Rowern/makisu that referenced this pull request Apr 2, 2020
@Rowern
Bump AWS credential helper to latest version
40f6911 
By bumping the credential helper version we allow user to use the EKS IRSA feature (awslabs/amazon-ecr-credential-helper#183)
yiranwang52 pushed a commit to uber-archive/makisu that referenced this pull request Apr 2, 2020
@Rowern
Bump AWS credential helper to latest version (#314)
35b9e70 
By bumping the credential helper version we allow user to use the EKS IRSA feature (awslabs/amazon-ecr-credential-helper#183)
@missedone missedone mentioned this pull request Aug 10, 2020
Closed
@MaesterZ MaesterZ mentioned this pull request Feb 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuelkarp samuelkarp samuelkarp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@siwyd @samuelkarp @tomelliff @patstrom