Skip to content

Updating AWS SDK to support assuming an IAM role via an OIDC web identity token file #19

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 25, 2021
Merged

Updating AWS SDK to support assuming an IAM role via an OIDC web identity token file #19

merged 3 commits into from
Oct 25, 2021

Conversation

matthewoflynn
Copy link
Contributor

This change is to resolve: #18

Apologies for any blunders in advance, I'm not a Go developer. I've updated both the aws-sdk-go and go versions to the latest versions and have run the tests.

Output

> go test -timeout 5s -race -v ./...
?   	github.com/scribd/objinsync	[no test files]
=== RUN   TestWalkAndDeleteEmptyDir
--- PASS: TestWalkAndDeleteEmptyDir (0.00s)
=== RUN   TestWalkAndExcludeDir
--- PASS: TestWalkAndExcludeDir (0.00s)
=== RUN   TestWalkAndExcludeNestedDirs
--- PASS: TestWalkAndExcludeNestedDirs (0.00s)
=== RUN   TestWalkAndExcludeFile
--- PASS: TestWalkAndExcludeFile (0.00s)
=== RUN   TestSkipParentDir
--- PASS: TestSkipParentDir (0.00s)
=== RUN   TestDeleteStaleFile
--- PASS: TestDeleteStaleFile (0.00s)
=== RUN   TestSkipObjectsWithoutChange
--- PASS: TestSkipObjectsWithoutChange (0.00s)
=== RUN   TestSkipExcludedObjects
--- PASS: TestSkipExcludedObjects (0.00s)
=== RUN   TestSkipDirectories
--- PASS: TestSkipDirectories (0.00s)
=== RUN   TestNestedPathDownload
--- PASS: TestNestedPathDownload (0.00s)
PASS
ok  	github.com/scribd/objinsync/pkg/sync	0.612s

Further Testing

I've deployed a Docker image with this change to an EKS cluster and verified that the correct IAM role is being picked up.

ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: airflow
  annotations:
    "eks.amazonaws.com/role-arn": "arn:aws:iam::<---role--->"

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: basic-deployment
  labels:
    app: simple
spec:
  replicas: 1
  selector:
    matchLabels:
      app: simple
  template:
    metadata:
      labels:
        app: simple
    spec:
      serviceAccountName: airflow
      securityContext:
        # objinsync runs with a non-root user and when running a container with
        # a non-root user, you need to give the container access to the token 
        # file by setting the fsGroup field in the securityContext object.
        #
        # Ref: https://github.com/aws/amazon-eks-pod-identity-webhook#usage-with-non-root-container-user
        fsGroup: 1000
      containers:
      - name: objinsync
        image: <private-docker-container-registry>/objinsync:latest
        command: ["objinsync"]
        args: ["pull", "--interval", "10s", "s3://example-bucket/", "/tmp"]

houqp
houqp approved these changes Oct 25, 2021
View reviewed changes
Copy link
Contributor

@houqp houqp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @matthewoflynn for the upgrade!

@houqp houqp enabled auto-merge (squash) October 25, 2021 22:21
@houqp houqp merged commit 0bd0381 into scribd:master Oct 25, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@houqp houqp houqp approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update aws-sdk-go to support AWS IAM roles for Kubernetes service accounts
3 participants
@matthewoflynn @houqp @matthewoflynn-dxrx