feat(aws): support keyless authentication (IRSA / instance profile)#751
Conversation
f3e18a4 to
1d14571
Compare
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAWS provider now accepts omitted ChangesKeyless Authentication Support
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Make aws_access_key/aws_secret_key optional. When omitted, fall back to the AWS SDK default credential chain so IRSA, EC2/ECS instance profiles, env vars and shared config work without injecting static creds into the provider config.
1d14571 to
ef682e2
Compare
|
Hey @Mzack9999 and @dogancanbakir would this be treated as a feature enhancement? |
Summary
The AWS provider currently requires
aws_access_keyandaws_secret_keyin the provider-config, which prevents keyless authentication such as IRSA (IAM Roles for Service Accounts) on EKS. This PR makes both fields optional and falls back to the AWS SDK default credential chain when they are omitted.Changes
pkg/providers/aws/aws.goParseOptionBlock:aws_access_key/aws_secret_keyare now optional. Added paired validation — if exactly one of the two is provided, it errors (a half-configured pair is almost always a mistake).New: static credentials are only set when both keys are present. Otherwiseconfig.Credentialsis left nil sosession.NewSessionresolves credentials via the SDK default chain.PROVIDERS.md: marked the keys optional and added a "Keyless Authentication" section.README.md: added a keyless-auth feature bullet.Why this works
aws-sdk-go v1's
session.NewSession(config)runs its internalresolveCredentialsonly whenconfig.Credentials == nil. That resolver automatically detectsAWS_WEB_IDENTITY_TOKEN_FILE/AWS_ROLE_ARN(injected by the EKS pod-identity webhook) and assumes the web-identity role — so IRSA, EC2/ECS instance profiles,AWS_*env vars and shared config all work without injecting static creds into the config file. The previous hard-codedNewStaticCredentialsshort-circuited that path.This composes with existing role-assumption flows (
assume_role_arn,assume_role_name,org_discovery_role_arn), which build STS sessions on top of the now-keyless base session.Backward compatibility
Fully backward compatible — existing static-key configs behave exactly as before.
Testing
go build ./...,go vet ./pkg/providers/aws/, andgo test ./pkg/providers/aws/all pass.Summary by CodeRabbit
aws_access_keyoraws_secret_keyis set, the other must also be provided; otherwise configuration falls back to the SDK’s default credential chain.