Add env var for EKS Pod Identity token audience and service principal (#617)

*Issue #, if available:* N/A

*Description of changes:*

For testing in internal EKS environments, we may wish to modify the
token audience and service principal used. This change allows it to be
overridden in the node service and end-to-end tests.

The default value is unchanged, and remains `"pods.eks.amazonaws.com"`.

We may consider making changes to the Helm chart, however I'm leaving it
out for this PR.

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

Author: dannycjones

charts/aws-mountpoint-s3-csi-driver/templates/node.yaml

@@ -81,6 +81,8 @@ spec:
               value: {{ .Values.mountpointPod.namespace }}
             - name: EKS_POD_IDENTITY_AGENT_CONTAINER_CREDENTIALS_FULL_URI
               value: {{ .Values.eksPodIdentityAgent.containerCredentialsFullURI }}
+            - name: POD_IDENTITY_TOKEN_AUDIENCE
+              value: pods.eks.amazonaws.com
             {{- with .Values.awsAccessSecret }}
             - name: AWS_ACCESS_KEY_ID
               valueFrom:

pkg/driver/node/credentialprovider/provider_pod.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/google/renameio"
@@ -17,10 +18,11 @@ import (
 	"github.com/awslabs/mountpoint-s3-csi-driver/pkg/driver/node/envprovider"
 )
 
+var serviceAccountTokenAudiencePodIdentity = determineServiceAccountTokenAudienceEKS()
+
 const (
-	serviceAccountTokenAudienceSTS         = "sts.amazonaws.com"
-	serviceAccountTokenAudiencePodIdentity = "pods.eks.amazonaws.com"
-	serviceAccountRoleAnnotation           = "eks.amazonaws.com/role-arn"
+	serviceAccountTokenAudienceSTS = "sts.amazonaws.com"
+	serviceAccountRoleAnnotation   = "eks.amazonaws.com/role-arn"
 )
 
 const podLevelCredentialsDocsPage = "https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/docs/CONFIGURATION.md#pod-level-credentials"
@@ -236,3 +238,13 @@ func (c *Provider) createEKSPodIdentityCredentialsEnvironment(provideCtx Provide
 		envprovider.EnvContainerAuthorizationTokenFile: tokenFile,
 	}, nil
 }
+
+func determineServiceAccountTokenAudienceEKS() string {
+	const envPodIdentityTokenAudience = "POD_IDENTITY_TOKEN_AUDIENCE"
+	fromEnv := strings.TrimSpace(os.Getenv(envPodIdentityTokenAudience))
+	if len(fromEnv) == 0 {
+		return "pods.eks.amazonaws.com"
+	} else {
+		return fromEnv
+	}
+}

tests/e2e-kubernetes/testsuites/credentials.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	goerrors "errors"
 	"fmt"
+	"os"
 	"slices"
 	"strings"
 	"time"
@@ -72,7 +73,7 @@ const serviceAccountTokenAudienceSTS = "sts.amazonaws.com"
 const roleARNAnnotation = "eks.amazonaws.com/role-arn"
 const credentialSecretName = "aws-secret"
 
-const serviceAccountTokenAudienceEKS = "pods.eks.amazonaws.com"
+var serviceAccountTokenAudienceEKS = determineServiceAccountTokenAudienceEKS()
 
 // DefaultRegion specifies the STS region explicitly.
 var DefaultRegion string
@@ -86,6 +87,16 @@ type s3CSICredentialsTestSuite struct {
 	tsInfo storageframework.TestSuiteInfo
 }
 
+func determineServiceAccountTokenAudienceEKS() string {
+	const envPodIdentityTokenAudience = "POD_IDENTITY_TOKEN_AUDIENCE"
+	fromEnv := strings.TrimSpace(os.Getenv(envPodIdentityTokenAudience))
+	if len(fromEnv) == 0 {
+		return "pods.eks.amazonaws.com"
+	} else {
+		return fromEnv
+	}
+}
+
 func InitS3CSICredentialsTestSuite() storageframework.TestSuite {
 	return &s3CSICredentialsTestSuite{
 		tsInfo: storageframework.TestSuiteInfo{
@@ -1013,20 +1024,20 @@ func getARNPartition(arn string) string {
 }
 
 func createRole(ctx context.Context, f *framework.Framework, assumeRolePolicyDocument string, policyNames ...string) (*iamtypes.Role, func(context.Context) error) {
-	framework.Logf("Creating IAM role")
 	identity := stsCallerIdentity(ctx)
 
 	client := iam.NewFromConfig(awsConfig(ctx))
 
 	roleName := fmt.Sprintf("%s-%s", f.BaseName, uuid.NewString())
+	framework.Logf("Creating IAM role '%s' with assumeRolePolicyDocument \"%s\"", roleName, assumeRolePolicyDocument)
 	role, err := client.CreateRole(ctx, &iam.CreateRoleInput{
 		RoleName:                 ptr.To(roleName),
 		AssumeRolePolicyDocument: ptr.To(assumeRolePolicyDocument),
 	})
 	framework.ExpectNoError(err)
 
 	deleteRole := func(ctx context.Context) error {
-		framework.Logf("Deleting IAM role")
+		framework.Logf("Deleting IAM role '%s'", roleName)
 		_, err := client.DeleteRole(ctx, &iam.DeleteRoleInput{
 			RoleName: ptr.To(roleName),
 		})