Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support AWS IAM Roles for Service Accounts #50

Closed
jordanjennings opened this issue Mar 11, 2022 · 0 comments · Fixed by #51
Closed

Support AWS IAM Roles for Service Accounts #50

jordanjennings opened this issue Mar 11, 2022 · 0 comments · Fixed by #51

Comments

@jordanjennings
Copy link
Contributor

jordanjennings commented Mar 11, 2022
edited
Loading

dockcmd currently has a hard-coded list of credentials providers which doesn't support the WebIdentityRoleProvider needed for IRSA to work as expected.

https://github.com/boxboat/dockcmd/blob/master/cmd/aws/aws.go#L126

var creds = sess.Config.Credentials
	if o.useChainCredentials {
		creds = credentials.NewChainCredentials(
			[]credentials.Provider{
				&credentials.EnvProvider{},
				&credentials.SharedCredentialsProvider{
					Profile: o.profile,
				},
				&ec2rolecreds.EC2RoleProvider{
					Client: ec2metadata.New(sess),
				},
				&SessionProvider{
					Session: sess,
				},
			})
	} else {
		if o.accessKeyID == "" || o.secretAccessKey == "" {
			return nil, errors.New("no aws credentials provided")
		}
		creds = credentials.NewStaticCredentials(o.accessKeyID, o.secretAccessKey, "")
	}

I think the entire true section of the block that re-configures the chain of credentials providers can be removed so that it uses the SDK default chain, which already supports IRSA. I'm assuming there was a reason that the custom chain of credentials providers was originally added, but it's not clear what that reason is.

@boxboatmatt Can the custom credentials chain be removed when useChainCredentials is true?
jordanjennings added a commit to jordanjennings/dockcmd that referenced this issue Mar 11, 2022
@jordanjennings
Use default credential provider chain for AWS
e5c2cda 
fixes boxboat#50
@jordanjennings jordanjennings mentioned this issue Mar 11, 2022
Merged
jordanjennings added a commit to jordanjennings/dockcmd that referenced this issue Mar 11, 2022
@jordanjennings
Use default credential provider chain for AWS
a6998e1 
fixes boxboat#50

Signed-off-by: Jordan Jennings <jordan@boxboat.com>
jordanjennings added a commit that referenced this issue Mar 14, 2022
@jordanjennings
Use default credential provider chain for AWS (#51)
0a4257d 
* Use default credential provider chain for AWS

fixes #50

Signed-off-by: Jordan Jennings <jordan@boxboat.com>

* PR feedback

Signed-off-by: Jordan Jennings <jordan@boxboat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use default credential provider chain for AWS jordanjennings/dockcmd
1 participant
@jordanjennings