Comments (6)
@booleanbetrayal Wasn't too much work :)
PR here: #181
You can try this out by using the special Docker image quay.io/pganalyze/collector:hotfix-aws-web-identity-support
that I just built - could you give this a try and see whether it works as expected?
from collector.
Hi @booleanbetrayal - thanks for opening this issue, I think its a good idea to add direct support for this.
That said, I'm wondering if you can utilize the environment variable based configuration to verify whether this works as intended today, without any code changes:
The SDK supports the same variables as the CLI (see https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#assume-role-with-web-identity at the end), so I think you can set the following:
AWS_ROLE_ARN
: The ARN of the role you want to assume.AWS_WEB_IDENTITY_TOKEN_FILE
: The path to the web identity token file.
If I understand the AWS documentation correctly, you can simply set AWS_WEB_IDENTITY_TOKEN_FILE
to /var/run/secrets/eks.amazonaws.com/serviceaccount/token
, and the AWS_ROLE_ARN
to the correct role, and assuming you have the annotations set correctly, that should just work.
One more thing you might have to do is permit the pganalyze
user to access the identity token file, as documented here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html#pod-configuration
Let me know if that works, I'd be curious :)
from collector.
So I know this "just works" in the Ruby SDK -
irb(main):008:0> require 'aws-sdk-s3'
=> true
irb(main):009:0> ENV['AWS_WEB_IDENTITY_TOKEN_FILE']
=> "/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
irb(main):010:0> ENV['AWS_ROLE_ARN'].length
=> 50
irb(main):011:0>
irb(main):012:0> s3 = Aws::S3::Resource.new
=> #<Aws::S3::Resource:0x00007f79c4f1d688 @client=#<Aws::S3::Client>>
irb(main):013:0> s3.bucket(ENV['AWS_LOGGING_BUCKET']).object("test/#{Time.now.strftime('%Y-%m-%d_%H-%M-%S-%12N')}").put(body: "test")
=> #<struct Aws::S3::Types::PutObjectOutput expiration=nil, etag="\"*************\"", server_side_encryption=nil, version_id=nil, sse_customer_algorithm=nil, sse_customer_key_md5=nil, ssekms_key_id=nil, ssekms_encryption_context=nil, bucket_key_enabled=nil, request_charged=nil>
So I'm a bit surprised it's not working in the Go SDK. I'll try to revisit the configuration (reverted to IAM user access credentials) and will let you know if it's still reproducible or if there's some obvious misconfiguration, @lfittl . I was pretty confident I had dotted all my "i's" and crossed all my "t's", but maybe I had missed something.
from collector.
Actually, @lfittl - I'm wondering if the issue is in the creation of the provider chain via: https://github.com/pganalyze/collector/blob/master/util/awsutil/amazon.go#L56-L66
According to the documentation, EnvProvider
only supports:
- Access Key ID: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY
- Secret Access Key: AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY
So maybe by explicitly configuring the provider chain for credentials creation, the legs are being cut out from some other automated WebIdentity provider support (if it even exists)?
from collector.
Actually, @lfittl - I'm wondering if the issue is in the creation of the provider chain via: https://github.com/pganalyze/collector/blob/master/util/awsutil/amazon.go#L56-L66
According to the documentation,
EnvProvider
only supports:
- Access Key ID: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY
- Secret Access Key: AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY
So maybe by explicitly configuring the provider chain for credentials creation, the legs are being cut out from some other automated WebIdentity provider support (if it even exists)?
Yeah, you might be right, looking at the code again.
I think its relatively straightforward to add this support, let me give that a try & will share a PR in a bit.
from collector.
Thanks @lfittl ! Not urgent, but appreciated!
from collector.
Related Issues (20)
- Make IdentifierMap cache TTL configurable HOT 3
- Could not collect activity for server HOT 8
- Unable to DB_USE_IAM_AUTH with aws RDS instance HOT 4
- Error calling pg_stat_statements_reset() as requested intermittently HOT 2
- Regular collector oom-kill at midnight UTC on Sundays HOT 1
- Publish Docker image to ECR public registry HOT 1
- Error to send snapshots HOT 2
- Upgrade go.uuid module HOT 3
- Missing image for v0.50.1 HOT 2
- Additional security settings for pganalyze collector HOT 3
- Add rudimentary test suite for Helm chart
- Debian build uses EOL version HOT 1
- Error: Failed to reload collector HOT 1
- OTEL connector - can it support Datadog APM traces for PostgreSQL HOT 2
- OTEL connector - can it support Datadog?
- Feature request: Add DB_PASSWORD_FILE or similar HOT 1
- Regarding SSO login HOT 1
- Configuring Log Insights for pganalyze runnning on kubernetes pod HOT 1
- Can't ctrl-c pganalyze-collector HOT 1
- panic: runtime error: index out of range [0] with length 0 HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from collector.