You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I don't know if this solution is inline with the OPA project policies, but if OPA used the AWS SDK to access S3 an SDK upgrade would have added support for EKS Pod Identities. That said, I understand if the project does not want to uptake the SDK.
Describe a "Good Enough" solution
Similar to OPA's support of IRSA, Pod Identities export the AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE that can be used to retrieve the auth token.
Additional Context
In November 2023, AWS announced EKS Pod Identity which is a a new feature that simplifies Kubernetes applications to obtain AWS IAM permissions. It is in a way the successor to IAM Roles for Service Accounts (IRSA). Many Kubernetes administrators are migrating from IRSA to Pod Identities for its simplified workflow, the ability to share roles across clusters and its support of session tags.
The text was updated successfully, but these errors were encountered:
Adding a new method to provide creds seems fine. Feel free to contribute if you'd like. OPA does not vendor the SDK but you can see the implementations of existing providers for reference. Also the code here might be helpful.
Kindly ask if there is somebody working for this issue? If not,I'm glad to undertake it.
I ‘m relatively new to contributing to open source projects, but I am eager to learn and will do my best to complete this task.
Thanks ! @ashutosh-narkar
What is the underlying problem you're trying to solve?
Currently, OPA supports AWS Signatures using IAM Roles for Service Accounts (IRSA) in EKS to sign and retrieve bundles. EKS Pod Identities is new way to manage permissions in EKS and would like OPA to add support for it.
Describe the ideal solution
I don't know if this solution is inline with the OPA project policies, but if OPA used the AWS SDK to access S3 an SDK upgrade would have added support for EKS Pod Identities. That said, I understand if the project does not want to uptake the SDK.
Describe a "Good Enough" solution
Similar to OPA's support of IRSA, Pod Identities export the
AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
that can be used to retrieve the auth token.Additional Context
In November 2023, AWS announced EKS Pod Identity which is a a new feature that simplifies Kubernetes applications to obtain AWS IAM permissions. It is in a way the successor to IAM Roles for Service Accounts (IRSA). Many Kubernetes administrators are migrating from IRSA to Pod Identities for its simplified workflow, the ability to share roles across clusters and its support of session tags.
The text was updated successfully, but these errors were encountered: