-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature request: support aws auth #147
Comments
Hi @heimweh, no concrete plans but this is great to know there's interest. It's not something I've thought a lot about previously, but I'd be interested to discuss the design before getting into any PRs to ensure there's a good chance of it getting merged, so thanks for opening this first. Currently the only configurability we support for auth is the The slightly trickier issue is identity. It's important to the design of the project that we authenticate using the requesting pod's identity and not the provider pod's identity. That's why we create a service account token for the requesting pod's service account rather than use the pod's own token, and hopefully in the near future we can stop needing to do that and use a CSI token attached in the mount request instead of creating a fresh one - ref. For that reason, I'm pretty keen to continue using a service account token as the basis for identity, and I'm not sure if that's going to be compatible with using AWS auth? I'm much more familiar with the Vault side of things than AWS - do you know what identity options we have in that context? |
Hey @tomhjp, thanks for the quick reply 馃檹 Great to hear! I saw that the current auth is more or less centered around the Kubernetes auth and yeah I totally agree, I got it to work using the requesting pod's service account but it's a bit involved and requires IRSA:
Nice! I really like the idea of using the CSI token attached in the mount request 馃檶 |
Awesome, that sounds perfect! Thanks for the explainer. Now that you mention it I remember we support IRSA in the Vault Agent injector as well. I think the design of the awsAuth:
mountPath: "aws"
role: "my-aws-auth-role"
... I think auth:
type: "aws"
mountPath: "my-aws-mount"
role: "my-aws-auth-role"
aws:
# Optional block for AWS-specific configuration here WDYT? Lots of other options too of course. I'd be very happy to review and iterate if you do fancy tidying up your POC to open a PR 馃檶 |
Yeah that's true, we use it and it works great in our environment 馃檹 That's awesome! I'll try to clean up the PoC and I'll open a PR, happy to iterate from there 馃檪 馃檹 |
Hey @heimweh - I'm pretty interested on this feature. Do you have any updates on this? |
Hi! Loving the project so far! 馃檶
It seems like the CSI provider supports k8s auth at the moment. Are there plans to support other auth methods in the future?
I managed to implement a PoC with AWS auth, it's not quite ready yet to be submitted but I just wanted to check in here before, if it would be a welcomed addition? 馃檪
Thanks in advance 馃檪 馃檹
cc @joatmon08 (meeting at AWS re:Invent).
The text was updated successfully, but these errors were encountered: