Add support for AWS Auth with WebIdentity/OIDC

[samskeyti88]

Add support for AWS Auth with WebIdentity/OIDC
#1075

[bstascavage]

Any movement on this? I am running into an issue related to this.

[barryib]

@fviard Any chance to get this reviewed ? This tool is used in lot of other cool project (like Gitlab) and this issue prevent us for using the backup feature in EKS.

[fviard]

@barryib Hi, I will try to review it in the coming days.

[hanfi]

is this PR forgotten ?? it will be great to get this PR merged, s3cmd is used by gitlab task runner and in a EKS environment this is the only serious way to authenticate to backup buckets.
i'm sure Gitlab will update their docker images to the newer s3cmd version to enable connection through EKS IODC Webidentity for backups since putting AWS creds into EKS secrets is not a good practice.

[hickey]

@samskeyti88 It appears that your branch needs to be rebased against the current master and resolve the conflicts. Maybe doing so will entice the maintainers to consider and move this PR forward. I think that there is a lot of us out here that would like to see this PR merged.

[stevehipwell]

Any progress on this?

[ZF-fredericvanlinthoudt]

@fviard It would be really helpful if you could review (& approve) this PR 🥇
GitLab uses s3cmd in their task runner to store backups on S3 and if GitLab is running on AWS EKS then the most practical & secure way to authenticate towards S3 is by assuming roles with web identity via IRSA.
Some companies just don't allow the use of IAM access key & secrets in production environments and this would definitely be a proper solution to get it working in the right way.
Thanks for considering this!

[fviard]

@ZF-fredericvanlinthoudt I'm sorry that it takes me a little bit of time to enter in this subject, but i'm looking at it and will rebase/merge it soon.

[mosspilot]

Would love to see this implemented / merged. It is a really worthwhile feature with security benefits. Anything we can do to help move this across the finish line?

[fviard]

I have rebased and completed this PR with changes that I have pushed to master.

With commits up to d761ead , this feature should now be available.

@samskeyti88 Thank you very much for this PR

@mosspilot I have pushed things to master, but it is untested, so the best help that you could provide me is to give a try to the MASTER branch and let me know if everything works ok or if you have any issue.

Also, the final change now support AssumeRole and AssumeRoleWithWebIdentity.
If you only have the AWS_ROLE_ARN env variable set, "AssumeRole" will be used.
If you have in addition AWS_WEB_IDENTITY_TOKEN_FILE set, it is "AssumeRoleWithWebIdentity" that will be used.

That would be great is someone is able to give a try to the support for AssumeRole also.