Hi folks,
it would be useful to add support for AWS IRSA in AWS EKS environments - that we can annotate the serviceaccounts (for example: FME Engine) to get temporary aws credentials to access aws s3/sqs - in our environment we need to rotate aws iam user credentials every 90 days - with AWS IRSA solution we get new temporary aws credentials per default every 24 hours - this helps us a lot for managing sercurity related stuff in daily business...
annotate kubernetes serviceaccount:
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/fme-engine
after startup the container get two new environment variables like:
- name: AWS_ROLE_ARN
value: arn:aws:iam::123456789012:role/fme-engine
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
in the aws sdk is a new credentails provider available sts:AssumeRoleWithWebIdentity
, for exchanging the Kubernetes-Issued OIDC token for AWS role credentials
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
we also opened an issue for helm-charts
https://github.com/safesoftware/helm-charts/issues/64