Zzih96 commented on issue #17867:
URL:
https://github.com/apache/dolphinscheduler/issues/17867#issuecomment-3737734476
> > Using IRSA for AWS authentication in a Kubernetes environment.
>
> AFAIK, DS has no plugins that implemented `AWS EKS`. And the most commonly
used `AWS S3` does not use this verification method. So what is the scenario of
this function on DS?
I think there's a misunderstanding - this isn't about a specific AWS
service. WebIdentityToken authentication is supported by all AWS services (S3,
EMR, Glue, Athena, etc.), not just EKS.
When DolphinScheduler runs in a Kubernetes Pod, the AWS SDK automatically
uses environment variables (AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN) to
authenticate. The problem is DolphinScheduler's AwsCredentialsProvider doesn't
include this provider in its chain, so it can't use IRSA even when properly
configured.
This PR adds the missing WebIdentityTokenCredentialsProvider to support
AWS's recommended authentication for Kubernetes deployments.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
