Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support EKS Pod Identity credentials #3416

Merged
merged 6 commits into from
Feb 23, 2024
Merged

Support EKS Pod Identity credentials #3416

merged 6 commits into from
Feb 23, 2024

Conversation

jackkleeman
Copy link
Contributor

@jackkleeman jackkleeman commented Feb 15, 2024
edited
Loading

Motivation and Context

I would like to support EKS Pod Identity credentials in the Rust SDKs

Description

This brings the ECS provider in line with other sdks (eg, Go) by supporting AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE as well as permitting http IPs to be non-loopback if they are the EKS pod identity IPs.

Testing

I have added various new unit tests, and I have updated the existing integration test to also create pods with eks pod identity creds, which I have used to test in a real EKS cluster as well.

Checklist

  • I have updated CHANGELOG.next.toml if I made changes to the smithy-rs codegen or runtime crates

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@jackkleeman jackkleeman requested review from a team as code owners February 15, 2024 16:44
@jackkleeman jackkleeman changed the title Eks pod identity Support EKS Pod Identity credentials Feb 15, 2024
@jackkleeman jackkleeman force-pushed the eks-pod-identity branch 3 times, most recently from 9032e5e to a414ee1 Compare February 15, 2024 16:56
@rcoh
Copy link
Collaborator

rcoh commented Feb 15, 2024

This looks great! Someone from our team will do a detailed review next week. The one missing piece is a e2e integration test. You can see examples here: https://github.com/smithy-lang/smithy-rs/tree/6e3e010e912874262b37727d900d7fae170efaed/aws/rust-runtime/aws-config/test-data/default-provider-chain/ecs_credentials_invalid_profile

@jackkleeman jackkleeman mentioned this pull request Feb 15, 2024
Merged
@jackkleeman
Copy link
Contributor Author

done @rcoh

jdisanti
jdisanti reviewed Feb 22, 2024
View reviewed changes
Copy link
Collaborator

@jdisanti jdisanti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a really high quality contribution, thank you! ❤️

There are just a couple of things that need to be changed before we can merge.

aws/rust-runtime/aws-config/src/ecs.rs Outdated Show resolved Hide resolved
aws/rust-runtime/aws-config/src/ecs.rs Outdated Show resolved Hide resolved
aws/rust-runtime/aws-config/src/ecs.rs
.await
.expect("localhost is the loopback interface");
validate_full_uri("http://169.254.170.2.backname.io:8888/creds", dns.clone())
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This definitely works, but I'm a little hesitant to have our tests rely on backname.io since it adds some level of risk to our release process if backname.io happens to go down for a period of time. Could you refactor the test to use a fake ResolveDns trait implementation instead of the real one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this test is skipped because it already relies on dns resolution (of amazon.com)
see comment // ignored by default because it relies on actual DNS resolution
Is there some release process that is unskipping it?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, nope. I just didn't see that comment. Looks good then.

jackkleeman and others added 4 commits February 23, 2024 09:29
@jackkleeman
Support EKS Pod Identity in ecs credentials provider
4d51566 
This brings this provider in line with other sdks by supporting AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
as well as permitting http IPs to be non-loopback if they are the EKS pod identity IPs.

Signed-off-by: Jack Kleeman <jackkleeman@gmail.com>
@jackkleeman
Add e2e integration test
fb351e1 
Signed-off-by: Jack Kleeman <jackkleeman@gmail.com>
@jackkleeman @jdisanti
Update aws/rust-runtime/aws-config/src/ecs.rs
0dc58d5 
Co-authored-by: John DiSanti <john@vinylsquid.com>
@jackkleeman
token file takes precedence
9b353f7
jdisanti
jdisanti approved these changes Feb 23, 2024
View reviewed changes
Copy link
Collaborator

@jdisanti jdisanti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. Thank you!

@jdisanti jdisanti added this pull request to the merge queue Feb 23, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 23, 2024
@jdisanti jdisanti added this pull request to the merge queue Feb 23, 2024
Merged via the queue into smithy-lang:main with commit 07c8074 Feb 23, 2024
39 checks passed
@jackkleeman jackkleeman deleted the eks-pod-identity branch February 26, 2024 07:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdisanti jdisanti jdisanti approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jackkleeman @rcoh @jdisanti