Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: AWS auth fixes #1209

Merged
merged 2 commits into from Feb 11, 2022
Merged

fix: AWS auth fixes #1209

merged 2 commits into from Feb 11, 2022

Conversation

kujon
Copy link
Contributor

@kujon kujon commented Feb 4, 2022
edited

Database name

Any

Pull request description

Fixes #886, #562

Describe what this PR fix

wal-g supports a very limited number of methods of authenticating with AWS. This PR does 2 things:

  • it deprecates explicitly passing in aws credentials
  • it makes use of aws.credentials.ChainProvider to quack the same as e.g. aws cli.

It's a remake of this PR from a now deprecated repo.

@kujon kujon requested a review from a team as a code owner February 4, 2022 17:58
@usernamedt
Copy link
Member

Hi! As I can see, this issue has been already addressed in wal-g/storages#45 and #1183. Can you please clarify the difference between this PR and the master branch (except the warning messages)?

@mialinx
Copy link
Contributor

mialinx commented Feb 6, 2022

There are two moments:

  • S3 is more than AWS object, storage there are other S3-compatible (Yandex Cloud for instance), which provides S3 REST API, but not AWS-like configuration. So, AWS_ACCESS_KEY_ID and others can't be deprecated at the moment.
  • There is a scenario with copying backups from one storage to another. In this case, we have to configure multiple storage with different bucket_names (and may be access keys). How can we handle it without AWS_* options in config ?

@mialinx
Copy link
Contributor

mialinx commented Feb 8, 2022

It looks like the problem is that we use storage settings (such as AWS_ACCESS_KEY_ID) to choose configured storage.
Maybe we need to add explicit storage type setting like WALG_STORAGE=S3 or WALG_STORAGE=SSH, leaving current method as fallback. We will be able to use S3 storage without any (AWS_...) options in config at all, just as @kujon suggests.

@usernamedt ?

@usernamedt
Copy link
Member

usernamedt commented Feb 8, 2022
edited

It looks like the problem is that we use storage settings (such as AWS_ACCESS_KEY_ID) to choose configured storage. Maybe we need to add explicit storage type setting like WALG_STORAGE=S3 or WALG_STORAGE=SSH, leaving current method as fallback. We will be able to use S3 storage without any (AWS_...) options in config at all, just as @kujon suggests.

@usernamedt ?

We already don't rely on any AWS_* auth setting to determine that storage type is AWS. WAL-G uses the WALG_*_PREFIX for this purpose, i.e. WALG_S3_PREFIX in the case of AWS.

@mialinx
Copy link
Contributor

mialinx commented Feb 8, 2022

It looks like the problem is that we use storage settings (such as AWS_ACCESS_KEY_ID) to choose configured storage. Maybe we need to add explicit storage type setting like WALG_STORAGE=S3 or WALG_STORAGE=SSH, leaving current method as fallback. We will be able to use S3 storage without any (AWS_...) options in config at all, just as @kujon suggests.
@usernamedt ?

We already don't rely on any AWS_* auth setting to determine that storage type is AWS. WAL-G uses the WALG_*_PREFIX for this purpose, i.e. WALG_S3_PREFIX in the case of AWS.

Oh, my bad )
Well, then we could just remove deprecation comments warnings (as we plan to AWS_ACCESS_KEY_ID for a long time) and merge this PR.

@kujon
Copy link
Contributor Author

kujon commented Feb 8, 2022

It looks like the problem is that we use storage settings (such as AWS_ACCESS_KEY_ID) to choose configured storage. Maybe we need to add explicit storage type setting like WALG_STORAGE=S3 or WALG_STORAGE=SSH, leaving current method as fallback. We will be able to use S3 storage without any (AWS_...) options in config at all, just as @kujon suggests.
@usernamedt ?

We already don't rely on any AWS_* auth setting to determine that storage type is AWS. WAL-G uses the WALG_*_PREFIX for this purpose, i.e. WALG_S3_PREFIX in the case of AWS.

Oh, my bad )
Well, then we could just remove deprecation comments warnings (as we plan to AWS_ACCESS_KEY_ID for a long time) and merge this PR.

Will do, give me a day!

mialinx
mialinx approved these changes Feb 11, 2022
View reviewed changes
Copy link
Contributor

@mialinx mialinx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mialinx mialinx merged commit 2edca7e into wal-g:master Feb 11, 2022
@martin31821 martin31821 mentioned this pull request Apr 26, 2022
Closed
@martin31821
Copy link

Any chance we can get a release containing this PR?

@x4m
Copy link
Collaborator

x4m commented Apr 26, 2022

@usernamedt do you plan release\prerelease soon? Do we have something to show to the community? :)

@x4m
Copy link
Collaborator

x4m commented Apr 26, 2022

@martin31821 you can try https://github.com/wal-g/wal-g/releases/tag/v2.0.0-rc1

@Jasper-Ben
Copy link

👋 @x4m, I am working with @martin31821. The good news is: v2.0.0-rc1 works for our usecase. See: zalando/postgres-operator#1124 (comment)
@usernamedt a GA release would be great! 👍

Jasper-Ben added a commit to iris-GmbH/spilo that referenced this pull request Apr 27, 2022
@Jasper-Ben
Bump wal-g version to v2.0.0-rc1
7b920e1 
This enables support for eks iam role authentication.

See:

- wal-g/wal-g#1209
- zalando/postgres-operator#1124 (comment)
Jasper-Ben added a commit to iris-GmbH/spilo that referenced this pull request Apr 27, 2022
@Jasper-Ben
Bump wal-g version to v2.0.0-rc1
1b603db 
This enables support for eks iam role authentication.

See:

- wal-g/wal-g#1209
- zalando/postgres-operator#1124 (comment)
Jasper-Ben added a commit to iris-GmbH/spilo that referenced this pull request Apr 27, 2022
@Jasper-Ben
Bump wal-g version to v2.0.0-rc1
a41f832 
This enables support for eks iam role authentication.

See:

- wal-g/wal-g#1209
- zalando/postgres-operator#1124 (comment)
Jasper-Ben added a commit to iris-GmbH/spilo that referenced this pull request Apr 27, 2022
@Jasper-Ben
Bump wal-g version to v2.0.0-rc1
1977c81 
This enables support for eks iam role authentication.

See:

- wal-g/wal-g#1209
- zalando/postgres-operator#1124 (comment)
Jasper-Ben added a commit to iris-GmbH/spilo that referenced this pull request Apr 27, 2022
@Jasper-Ben
Bump wal-g version to v2.0.0-rc1
704c808 
This enables support for eks iam role authentication.

See:

- wal-g/wal-g#1209
- zalando/postgres-operator#1124 (comment)
Jasper-Ben added a commit to iris-GmbH/spilo that referenced this pull request Apr 27, 2022
@Jasper-Ben
Bump wal-g version to v2.0.0-rc1
9a52095 
This enables support for eks iam role authentication.

See:

- wal-g/wal-g#1209
- zalando/postgres-operator#1124 (comment)
Jasper-Ben added a commit to iris-GmbH/spilo that referenced this pull request Apr 27, 2022
@Jasper-Ben
Bump wal-g version to v2.0.0-rc1
cb60498 
This enables support for eks iam role authentication.

See:

- wal-g/wal-g#1209
- zalando/postgres-operator#1124 (comment)
@usernamedt
Copy link
Member

@usernamedt do you plan release\prerelease soon? Do we have something to show to the community? :)

Hi! Yes, I guess that we can cut a release soon. Most probably, the next week.

Jasper-Ben added a commit to iris-GmbH/spilo that referenced this pull request Apr 27, 2022
@Jasper-Ben
Bump wal-g version to v2.0.0-rc1
371d3b4 
This enables support for eks iam role authentication.

See:

- wal-g/wal-g#1209
- zalando/postgres-operator#1124 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mialinx mialinx mialinx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWS authentication using OIDC web identity token
6 participants
@kujon @usernamedt @mialinx @martin31821 @x4m @Jasper-Ben