Update amazon session.New to support web identity token from service account in K8s #134
+2
−1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi Everyone !
While trying to get the drone autoscaler running on Amazon EKS Kubernetes cluster I encountered an issue with the way the AWS SDK handles the session when using an IAM role.
The drone autoscaler deployment is assigned a ServiceAccount to grant the service access to an IAM role (IRSA / OIDC IAM role dedicated to the pod) as stated in this documentation https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
While digging into AWS SDK issues I found this relevant issue that makes a mention of using
session.NewSession
instead ofsession.New
which does not handle well web identity token files aws/aws-sdk-go#4436I made a local build of the project and took it for a spin and it works like charm now. The Drone autoscaler service is able to assume the ServiceAccount IAM role instead of the IAM role assigned to the EC2 machine.
I used the IAM policy for the drone autoscaler suggested by @mtb-xt on the community forum https://community.harness.io/t/drone-autoscaler/10719/12
The IAM trusted policy is as follow: