Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for IRSA #63

Open
eloo-abi opened this issue Sep 20, 2023 · 4 comments
Open

Support for IRSA #63

eloo-abi opened this issue Sep 20, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@eloo-abi
Copy link

Hi,

we are right now trying to upload our html reports into S3 from our kubernetes cluster but it looks like IRSA IAM roles for service accounts is not supported right now.

Would be cool if a kubernetes native tool would support common authentication methods.

Thanks
@oleiade oleiade added the enhancement New feature or request label Sep 25, 2023
@oleiade
Copy link
Member

oleiade commented Oct 4, 2023

Hi @eloo-abi 👋🏻

I'm unfamiliar with IAM roles for service accounts, although it looks like something worth looking into for the library. I don't think we'll have the capacity to prioritize this short-term ourselves, but if you wanted to take a stab at it, we would happily support you along the way 👍🏻

@iyuroch
Copy link

iyuroch commented Oct 15, 2023
edited
Loading

Hey @eloo-abi, you can use something like code snippet below to get access and secret key from sts and later construct awsconfig from it

import http from 'k6/http';
import { AWSConfig, S3Client } from 'https://jslib.k6.io/aws/0.10.0/s3.js';

const S3_BUCKET_NAME = 'your_bucket_name';
const S3_OBJECT_KEY = 'path/to/your/s3/object/key';

const AWS_REGION = __ENV.AWS_REGION;
const AWS_ROLE_ARN = __ENV.AWS_ROLE_ARN;
const AWS_WEB_IDENTITY_TOKEN = open('/var/run/secrets/eks.amazonaws.com/serviceaccount/token', 'utf-8');

export function setup() {
  const url = "https://sts.amazonaws.com";
  const assumeRoleWithWebIdentityURL = `${url}/?Action=AssumeRoleWithWebIdentity&RoleArn=${AWS_ROLE_ARN}&WebIdentityToken=${AWS_WEB_IDENTITY_TOKEN}&RoleSessionName=app1&Version=2011-06-15&DurationSeconds=3600`;

  const params = {
    headers: {
      Accept: "application/json"
    },
  };

  let res = http.post(assumeRoleWithWebIdentityURL, null, params).json();
  let credentials = res.AssumeRoleWithWebIdentityResponse.AssumeRoleWithWebIdentityResult.Credentials
  const awsConfig = new AWSConfig({
    region: AWS_REGION,
    accessKeyId: credentials.AccessKeyId,
    secretAccessKey: credentials.SecretAccessKey,
    sessionToken: credentials.SessionToken,
  });

  return { awsConfig: awsConfig};
}

export default async function(data) {
  let s3client = new S3Client(data.awsConfig)
  await s3client.putObject(S3_BUCKET_NAME, S3_OBJECT_KEY, "bleh");
  const obj = await s3client.getObject(S3_BUCKET_NAME, S3_OBJECT_KEY);
  console.log(JSON.stringify(obj));
}

@eloo-abi
Copy link
Author

@iyuroch awesome..
thanks for the snippets, looks really promising.
i will give it a try

@oleiade maybe this can be included in the lib to bring IRSA support to everyone?

@oleiade
Copy link
Member

oleiade commented Oct 18, 2023

Hi @eloo-abi 👋🏻

I'm glad someone provided a workaround. Our short-term priorities haven't changed, and I don't think we would have the time to work on this at the moment actively. Besides, as we're internally not users of the feature ourselves, I think it would be better if the community provided a Pull Request implementing support for that feature.

We would of course gladly provide support on that front 👍🏻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oleiade @iyuroch @eloo-abi