feat(frontend): Implement aws-js-sdk crendentials to support IRSA for s3 #8651
Conversation
|
Looks like the prow job is running with node 12 installed, when it should move to using node 14? The front-end unit tests pass locally. https://github.com/GoogleCloudPlatform/oss-test-infra/blob/b3128a944261abbbc3e23b7db974f95ea6c93192/prow/prowjobs/kubeflow/pipelines/kubeflow-pipelines-presubmits.yaml#L9 and I've opened a pr GoogleCloudPlatform/oss-test-infra#1864 |
|
/test kubeflow-pipeline-frontend-test |
|
Good to see that the node14 update lets the tests run. Let me fix this unit-test looks like this is expected now since the prow has no credentials and it has exhausted all options. Missed this locally since my local env must have had some lingering creds somewhere. |
|
/retest |
frontend/server/minio-helper.ts
Outdated
| @@ -39,22 +39,21 @@ export interface MinioClientOptionsWithOptionalSecrets extends Partial<MinioClie | |||
| export async function createMinioClient(config: MinioClientOptionsWithOptionalSecrets) { | |||
| if (!config.accessKey || !config.secretKey) { | |||
| try { | |||
| if (await awsInstanceProfileCredentials.ok()) { | |||
| const credentials = await awsInstanceProfileCredentials.getCredentials(); | |||
There was a problem hiding this comment.
In the design doc, you mention that we will fail back to existing solution if the IRSA doesn't work. It doesn't look like the case in this block. Can we retain the existing solution?
| return new MinioClient({ ...config, accessKey, secretKey, sessionToken }); | ||
| } | ||
| console.error('unable to get credentials from AWS metadata store.'); | ||
| const credentials = fromNodeProviderChain(); |
There was a problem hiding this comment.
Is it possible to detect the source of object storage is AWS first, and perform IRSA only when it is AWS S3? (Pattern like "arn:aws:s3:::$mybucket/*") If it is generic S3 API, then we shouldn't use IRSA solution.
There was a problem hiding this comment.
@zijianjoy The code that used to be in this block was checking for AWS metadata store credentials. The fromNodeProviderChain() will try to access IRSA credentials then fallback and one of those would be AWS metadata store credentials which retains the exsiting functionality.
If the option is preferred, then what I can do is call the existing
pipelines/frontend/server/aws-helper.ts
Line 54 in 834d966
There was a problem hiding this comment.
Hello Ryan, thank you for replying to my comment, Sounds good on using isS3Endpoint , I would also suggest adding a comment to explain that which logic area is specific to AWS, and which logic is generic S3.
There was a problem hiding this comment.
@zijianjoy What is an example of generic S3 which has s3:// in the source/URL?
https://github.com/kubeflow/pipelines/blob/master/frontend/server/handlers/artifacts.ts#L33
Want to make sure we do not introduce a breaking change, ref #8651 (comment)
| @@ -37,6 +38,25 @@ export interface MinioClientOptionsWithOptionalSecrets extends Partial<MinioClie | |||
| * @param config minio client options where `accessKey` and `secretKey` are optional. | |||
| */ | |||
| export async function createMinioClient(config: MinioClientOptionsWithOptionalSecrets) { | |||
| // This logic is AWS S3 specific | |||
| if (isS3Endpoint(config.endPoint)) { | |||
There was a problem hiding this comment.
I think this would be a breaking change. Please correct me if my understanding is not correct
as of now no endpoint is set when running on an AWS by default. Afaik, it hits the s3 case based of the URL of the object i.e. source being s3 s3://
There was a problem hiding this comment.
When createMinioClient is called in the s3 case it passes in the aws artifactsConfig which contains endpoint, that resolves to the default value of s3.amazonaws.com or the env variable of AWS_S3_ENDPOINT. I'm not sure what you mean by breaking change?
There was a problem hiding this comment.
pipelines/frontend/server/configs.ts
Line 128 in 88a9a31
Got it, thanks
|
/test kubeflow-pipeline-frontend-test |
| } | ||
| } | ||
|
|
||
| // This logic is S3 generic | ||
| if (!config.accessKey || !config.secretKey) { | ||
| try { | ||
| if (await awsInstanceProfileCredentials.ok()) { |
There was a problem hiding this comment.
This code is outdated and should be removed since there is an updated implementation for AWS S3. New implementation supports multiple ways to provide credentials including better security practices.
Better to discuss it in a separate PR
|
@zijianjoy Can you take another look? |
|
friendly reminder @zijianjoy since next release might be planned soon. We want to test this as part of distribution testing. Thanks |
|
Hi @surajkota @ryansteakley , |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jlyaoyuli, mvoitko, surajkota The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
… s3 (#8651) * use aws js sdk for credentials concerning aws * format code * catch exception if no credentials are found after using credentialchain * revert changes and add section for specific aws changes * revert deleting aws-helper mock * add privatelink test for isS3endpiont * fix try block
Description of your changes:
#8502 details most of the changes and reasoning in a design document.
Removing most of the aws-helper code that pertains to grabbing the credentials from the ec2 instance metadata as this code is already handled as part of the
credentialProviderChainthat is being imported here.Checklist: