You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, authenticating with findDefaultCredentials() in AWS environments with workload identity federation only supports two schemes of authentication on AWS:
This feature is dearly missing for some use cases.
For job based stuff, like Atlantis for instance, or other CI software, you can make do by populating your environment with a call to STS AssumeRoleWithWebIdentity and get a set of tokens for the duration of your job.
But for controllers, such as GCP Secret CSI store, the only way to go is to have a service account long term json credentials.
Currently, authenticating with findDefaultCredentials() in AWS environments with workload identity federation only supports two schemes of authentication on AWS:
(ref: https://github.com/golang/oauth2/blob/master/google/internal/externalaccount/aws.go)
AWS supports another authentication scheme called "WEB_IDENTITY_TOKEN_FILE" which uses oauth2/OIDC to generate temporary AWS credetials. This is commonly used in EKS environments when k8 service accounts are annotated to use an AWS IAM role: (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). It would be great if this SDK also supports this to make the integration in eks based workloads seamless.
The text was updated successfully, but these errors were encountered: