[GitHub] [druid] didip commented on a change in pull request #12339: Make AWS WebIdentityToken actually working and usable from inside EKS.

Sun, 03 Apr 2022 10:23:41 -0700 


didip commented on a change in pull request #12339:
URL: https://github.com/apache/druid/pull/12339#discussion_r841252975



##########
File path: 
extensions-core/s3-extensions/src/main/java/org/apache/druid/data/input/s3/S3InputSource.java
##########
@@ -166,15 +175,21 @@ private void applyAssumeRole(
       AWSCredentialsProvider awsCredentialsProvider
   )
   {
-    String assumeRoleArn = s3InputSourceConfig.getAssumeRoleArn();
-    if (assumeRoleArn != null) {
+    // Do not run if WebIdentityToken file and assumeRole ARN are detected 
from the environment variable,
+    // we want the default s3ClientBuilder behavior for ServiceAccount + 
eks.amazonaws.com/role-arn annotation to work.

Review comment:
       This is the default credentials provider which is turned on by default 
on S3 Client (provided as reference). You can see that the WebIdentityToken is 
in the middle (enabled when `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` 
are configured in environment variables) 
https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.html
   
   I will give you a little background:
   
   Everyone who runs Druid on EKS wants to use the ServiceAccount with 
annotated Role ARN because it's more secure and uses AWS's newer IMDS v2 API.
   
   When we actually configured "ServiceAccount with annotated Role ARN", 
`AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` will be configured inside the 
pod's environment variables.
   
   Now, the old codebase somehow picked up the `AWS_ROLE_ARN` from the 
environment variable and populate the S3InputSourceConfig.assumeRole field. And 
that caused the code to execute that special assumeRole function. We don't want 
that to happen.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to