feat: container credential provider support auth token #106
Conversation
|
Manually tested in EKS 1.26 and passed. |
I always thought that env vars will never be refreshed? Upon starting a process, the process inherits the variables from the parent (usually the shell). So this behaviour is expected afaik, and is not a special case of some sorts. |
You're 100% correct. So maybe the |
windmgc
force-pushed
the
feat-container-cred-provider-auth
branch
from
55c8a74 to
a797908
Compare
|
superseded by #107 since this PR comes from my fork and cannot run actions correctly without org level variables. |
Summary
This PR adds support for using authorization token in Container Credential Provider. Container Credential Provider uses two environment variables for the auth token content:
AWS_CONTAINER_AUTHORIZATION_TOKEN(for token value) andAWS_CONTAINER_AUTHORIZATION_TOKEN_FILE(for a file path that stores token value). See https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html. If one of the token env vars exists, the token value will be used asAuthorizationheader value when requesting credential provider URI.By adding support for auth token in Container Credential Provider, we can support the latest "Pod Identity" IAM Auth method in AWS EKS. See How EKS Pod Identity works
Note that this PR only adds support for
AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE. Due to the env isolation of Nginx worker process, the possible rotating ofAWS_CONTAINER_AUTHORIZATION_TOKENmay not work if it is not defined in Nginx config. By searching through the AWS documentation it seems that there is only one IoT service "Greengrass" use that var to store raw token value, and Pod Identity always use token file. So I decide to add token file support at first, and leave the other one as a TODO.Reference:
https://github.com/aws/aws-sdk-js/blob/3276faf83e32dfea637797c66a73431affe54e64/lib/credentials/remote_credentials.js#L118C3-L118C18
https://konghq.atlassian.net/browse/KAG-3424