Skip to content

Updating AWS SDK to support assuming an IAM role via an OIDC web identity token file #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 25, 2021
Merged

Updating AWS SDK to support assuming an IAM role via an OIDC web identity token file #19

merged 3 commits into from
Oct 25, 2021

Conversation

@matthewoflynn
Copy link
Contributor

This change is to resolve: #18

Apologies for any blunders in advance, I'm not a Go developer. I've updated both the aws-sdk-go and go versions to the latest versions and have run the tests.

Output

> go test -timeout 5s -race -v ./...
?   	github.com/scribd/objinsync	[no test files]
=== RUN   TestWalkAndDeleteEmptyDir
--- PASS: TestWalkAndDeleteEmptyDir (0.00s)
=== RUN   TestWalkAndExcludeDir
--- PASS: TestWalkAndExcludeDir (0.00s)
=== RUN   TestWalkAndExcludeNestedDirs
--- PASS: TestWalkAndExcludeNestedDirs (0.00s)
=== RUN   TestWalkAndExcludeFile
--- PASS: TestWalkAndExcludeFile (0.00s)
=== RUN   TestSkipParentDir
--- PASS: TestSkipParentDir (0.00s)
=== RUN   TestDeleteStaleFile
--- PASS: TestDeleteStaleFile (0.00s)
=== RUN   TestSkipObjectsWithoutChange
--- PASS: TestSkipObjectsWithoutChange (0.00s)
=== RUN   TestSkipExcludedObjects
--- PASS: TestSkipExcludedObjects (0.00s)
=== RUN   TestSkipDirectories
--- PASS: TestSkipDirectories (0.00s)
=== RUN   TestNestedPathDownload
--- PASS: TestNestedPathDownload (0.00s)
PASS
ok  	github.com/scribd/objinsync/pkg/sync	0.612s

Further Testing

I've deployed a Docker image with this change to an EKS cluster and verified that the correct IAM role is being picked up.

ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: airflow
  annotations:
    "eks.amazonaws.com/role-arn": "arn:aws:iam::<---role--->"

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: basic-deployment
  labels:
    app: simple
spec:
  replicas: 1
  selector:
    matchLabels:
      app: simple
  template:
    metadata:
      labels:
        app: simple
    spec:
      serviceAccountName: airflow
      securityContext:
        # objinsync runs with a non-root user and when running a container with
        # a non-root user, you need to give the container access to the token 
        # file by setting the fsGroup field in the securityContext object.
        #
        # Ref: https://github.com/aws/amazon-eks-pod-identity-webhook#usage-with-non-root-container-user
        fsGroup: 1000
      containers:
      - name: objinsync
        image: <private-docker-container-registry>/objinsync:latest
        command: ["objinsync"]
        args: ["pull", "--interval", "10s", "s3://example-bucket/", "/tmp"]

houqp
houqp approved these changes Oct 25, 2021
View reviewed changes
Copy link
Contributor

@houqp houqp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @matthewoflynn for the upgrade!

@houqp houqp enabled auto-merge (squash) October 25, 2021 22:21
@houqp houqp merged commit 0bd0381 into scribd:master Oct 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@houqp houqp houqp approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update aws-sdk-go to support AWS IAM roles for Kubernetes service accounts

3 participants

@matthewoflynn @houqp @matthewoflynn-dxrx