Add web_identity chain type for IRSA support#136
Conversation
Adds a "web_identity" credential chain that uses STSAssumeRoleWebIdentityCredentialsProvider to support IAM Roles for Service Accounts (IRSA) in EKS. The no-arg constructor reads AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, and AWS_ROLE_SESSION_NAME from environment variables. Auto-refresh is enabled by default since these are temporary STS credentials. Fixes duckdb#119, duckdb#93, duckdb#31
58d6e0b to
3f7ef74
Compare
|
The PR is open for weeks now |
|
Hey @samansmink, hope you’re doing well. We’d really appreciate it if you could merge this PR when you have a chance. |
|
@samansmink, @Tmonster @ccfelius appreciates as well |
|
@atolopko-czi and @prathapsridharan appreciates as well |
|
cc @zmarouf 🥹 |
|
Any updates on when this is going to be merged ? Appreciate this. |
|
Is there a way to test this? I see a test file has been added, but no |
|
@Tmonster , you'll need an OIDC provider and and setup a trust policy for that provider, add a role with this trust policy and assume it. The attached script sets up AWS Cognito as OIDC provider, and creates the role. You can use this to run local, one-off tests with this. Instead of Cognito, you could also run this with GitHub as OIDC provider within GitHub Workflow. If this is what you're aiming at, I can help with that; but it'd be a test-time dependency to AWS. edit: GitHub workflow poc: mst#1 |
|
Hi @mst, I took a look. It looks good to me. Maybe you can cherry-pick the commit I made here? I thought it might be helpful for users to be able to manually specify the |
…ntities need to be assumed in one duckdb session
|
@Tmonster - thanks, makes sense. Cherry pick applied |
|
Thanks! I'll put this in CI in a follow up PR |
Awesome, thanks for merging! Regarding CI, not sure if you've seen my comment -- there's a slightly simpler approach using GitHib as OICD provider instead of Cognito (saves some infra for this test): see mst#1. |
I did see this, but did not take close enough look. I will fork/cherry-pick and see if I can get it working. Might tag you as a reviewer if that's alright |
|
CC @carlopi wondering if this might have any implications for duckdb-wasm |
|
awesome work! |
|
the docs should also be updated, right? |
Adds a
web_identitycredential chain that usesSTSAssumeRoleWebIdentityCredentialsProviderto support IAM Roles for Service Accounts (IRSA) in EKS.The no-arg constructor reads
AWS_ROLE_ARN,AWS_WEB_IDENTITY_TOKEN_FILE, andAWS_ROLE_SESSION_NAMEfrom environment variables. Auto-refresh is enabled by default since these are temporary STS credentials.Fixes #119, fixes #93, fixes #31
note: automatic refresh only works on un-globbed s3 access duckdb/duckdb-httpfs#165
note2: auto-refresh doesn't work with Ducklake or Iceberg at all: duckdb/duckdb-httpfs#165 (comment)