Incorporate feedback from review

Signed-off-by: Renan Magagnin <renanmag@amazon.co.uk>

Author: renanmagagnin

examples/kubernetes/static_provisioning/static_provisioning.yaml

@@ -14,6 +14,7 @@ spec:
   mountOptions:
     - allow-delete
     - region us-west-2
+    - prefix some-s3-prefix/
   csi:
     driver: s3.csi.aws.com # Required
     volumeHandle: s3-csi-driver-volume # Must be unique

pkg/driver/node/credentialprovider/provider_driver.go

@@ -27,6 +27,7 @@ func (c *Provider) provideFromDriver(provideCtx ProvideContext) (envprovider.Env
 	accessKeyID := os.Getenv(envprovider.EnvAccessKeyID)
 	secretAccessKey := os.Getenv(envprovider.EnvSecretAccessKey)
 	if accessKeyID != "" && secretAccessKey != "" {
+		klog.V(4).Infof("Providing credentials from driver with Long-term AWS credentials")
 		sessionToken := os.Getenv(envprovider.EnvSessionToken)
 		longTermCredsEnv, err := provideLongTermCredentialsFromDriver(provideCtx, accessKeyID, secretAccessKey, sessionToken)
 		if err != nil {
@@ -38,6 +39,7 @@ func (c *Provider) provideFromDriver(provideCtx ProvideContext) (envprovider.Env
 	} else {
 		// Profile provider
 		// TODO: This is not officially supported and won't work by default with containerization.
+		klog.V(4).Infof("Providing credentials from driver with Profile provider")
 		configFile := os.Getenv(envprovider.EnvConfigFile)
 		sharedCredentialsFile := os.Getenv(envprovider.EnvSharedCredentialsFile)
 		if configFile != "" && sharedCredentialsFile != "" {
@@ -50,7 +52,7 @@ func (c *Provider) provideFromDriver(provideCtx ProvideContext) (envprovider.Env
 	webIdentityTokenFile := os.Getenv(envprovider.EnvWebIdentityTokenFile)
 	roleARN := os.Getenv(envprovider.EnvRoleARN)
 	if webIdentityTokenFile != "" && roleARN != "" {
-		klog.Info("STS Web Identity provider (IRSA)")
+		klog.V(4).Infof("Providing credentials from driver with STS Web Identity provider (IRSA)")
 		stsWebIdentityCredsEnv, err := provideStsWebIdentityCredentialsFromDriver(provideCtx)
 		if err != nil {
 			klog.V(4).ErrorS(err, "credentialprovider: Failed to provide STS Web Identity credentials from driver")
@@ -63,8 +65,8 @@ func (c *Provider) provideFromDriver(provideCtx ProvideContext) (envprovider.Env
 	// Container credential provider (EKS Pod Identity)
 	containerAuthorizationTokenFile := os.Getenv(envprovider.EnvContainerAuthorizationTokenFile)
 	containerCredentialsFullURI := os.Getenv(envprovider.EnvContainerCredentialsFullURI)
-	if containerAuthorizationTokenFile != "" && containerCredentialsFullURI != "" {
-		klog.Info("Container credential provider (EKS Pod Identity)")
+	if util.UsePodMounter() && containerAuthorizationTokenFile != "" && containerCredentialsFullURI != "" {
+		klog.V(4).Infof("Providing credentials from driver with Container credential provider (EKS Pod Identity)")
 		containerCredsEnv, err := provideContainerCredentialsFromDriver(provideCtx, containerAuthorizationTokenFile, containerCredentialsFullURI)
 		if err != nil {
 			klog.V(4).ErrorS(err, "credentialprovider: Failed to provide container credentials from driver")

pkg/driver/node/credentialprovider/provider_test.go

@@ -953,6 +953,8 @@ func setEnvForStsWebIdentityCredentials(t *testing.T) {
 func setEnvForContainerCredentials(t *testing.T) {
 	t.Helper()
 
+	t.Setenv("MOUNTER_KIND", "pod")
+
 	tokenPath := filepath.Join(t.TempDir(), "token")
 	assert.NoError(t, os.WriteFile(tokenPath, []byte(testContainerAuthorizationToken), 0600))
 

tests/e2e-kubernetes/go.mod

@@ -23,7 +23,6 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
 	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
-	github.com/aws/aws-sdk-go v1.55.7
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.3 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.16.10 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 // indirect

tests/e2e-kubernetes/go.sum

@@ -13,10 +13,6 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE=
-github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
-github.com/aws/aws-sdk-go-v2 v1.30.3 h1:jUeBtG0Ih+ZIFH0F4UkmL9w3cSpaMv9tYYDbzILP8dY=
-github.com/aws/aws-sdk-go-v2 v1.30.3/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc=
 github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
 github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.3 h1:Zx9+31KyB8wQna6SXFWOewlgoY5uGdDAu6PTOEU3OQI=
@@ -27,12 +23,8 @@ github.com/aws/aws-sdk-go-v2/credentials v1.16.10 h1:VmRkuoKaGl2ZDNGkkRQgw80Hxj1
 github.com/aws/aws-sdk-go-v2/credentials v1.16.10/go.mod h1:WEn22lpd50buTs/TDqywytW5xQ2zPOMbYipIlqI6xXg=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 h1:FZVFahMyZle6WcogZCOxo6D/lkDA2lqKIn4/ueUmVXw=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9/go.mod h1:kjq7REMIkxdtcEC9/4BVXjOsNY5isz6jQbEgk6osRTU=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 h1:SoNJ4RlFEQEbtDcCEt+QG56MY4fm4W8rYirAmq+/DdU=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15/go.mod h1:U9ke74k1n2bf+RIgoX1SXFed1HLs51OgUSs+Ph0KJP8=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 h1:C6WHdGnTDIYETAm5iErQUiVNsclNx9qbJVPIt03B6bI=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15/go.mod h1:ZQLZqhcu+JhSrA9/NXRm8SkDvsycE+JkV3WGY41e+IM=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 h1:uR9lXYjdPX0xY+NhvaJ4dD8rpSRz5VY81ccIIoNG+lw=
@@ -61,8 +53,6 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.3 h1:CxAHBS0BWSUqI7qzXHc2ZpTe
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.3/go.mod h1:7Lt5mjQ8x5rVdKqg+sKKDeuwoszDJIIPmkd8BVsEdS0=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.3 h1:KfREzajmHCSYjCaMRtdLr9boUMA7KPpoPApitPlbNeo=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.3/go.mod h1:7Ld9eTqocTvJqqJ5K/orbSDwmGcpRdlDiLjz2DO+SL8=
-github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE=
-github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
 github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

tests/e2e-kubernetes/testsuites/credentials.go

@@ -56,6 +56,12 @@ const (
 	stsAssumeRoleRetryMaxBackoffDelay = 10 * time.Second
 )
 
+const (
+	eksauthAssumeRoleRetryCode            = "AccessDeniedException"
+	eksauthAssumeRoleRetryMaxAttemps      = 0 // This will cause SDK to retry indefinetly, but we do have a timeout on the operation
+	eksauthAssumeRoleRetryMaxBackoffDelay = 10 * time.Second
+)
+
 const serviceAccountTokenAudienceSTS = "sts.amazonaws.com"
 const roleARNAnnotation = "eks.amazonaws.com/role-arn"
 const credentialSecretName = "aws-secret"
@@ -360,7 +366,7 @@ func (t *s3CSICredentialsTestSuite) DefineTests(driver storageframework.TestDriv
 			removeAssociation := createPodIdentityAssociation(ctx, f, sa, *role.Arn)
 			deferCleanup(removeAssociation)
 
-			pod := CSIDriverPod(ctx, f)
+			pod := csiDriverPod(ctx, f)
 			waitUntilRoleIsAssumableWithEKS(ctx, f, sa, pod)
 
 			// Trigger recreation of our pods to use the new IAM role
@@ -752,7 +758,7 @@ func eksPodIdentityRoleTrustPolicyDocument() string {
 			{
 				"Effect": "Allow",
 				"Principal": jsonMap{
-					"Service": "pods.eks.amazonaws.com",
+					"Service": serviceAccountTokenAudienceEKS,
 				},
 				"Action": []string{"sts:AssumeRole", "sts:TagSession"},
 			},
@@ -818,7 +824,7 @@ func assumeRole(ctx context.Context, f *framework.Framework, roleArn string) *st
 	framework.Logf("Assuming IAM role %s", roleArn)
 
 	client := sts.NewFromConfig(awsConfig(ctx))
-	return waitUntilRoleIsAssumable(ctx, client.AssumeRole, &sts.AssumeRoleInput{
+	return waitUntilRoleIsAssumableSTS(ctx, client.AssumeRole, &sts.AssumeRoleInput{
 		RoleArn:         ptr.To(roleArn),
 		RoleSessionName: ptr.To(f.BaseName),
 		DurationSeconds: ptr.To(int32(stsAssumeRoleCredentialDuration.Seconds())),
@@ -828,38 +834,44 @@ func assumeRole(ctx context.Context, f *framework.Framework, roleArn string) *st
 // waitUntilRoleIsAssumable waits until the given role is assumable.
 // This is needed because we're creating new roles in our test cases and then trying to assume those roles,
 // but there is a delay between IAM and STS services and newly created roles/policies does not appear on STS immediately.
-func waitUntilRoleIsAssumable[Input any, Output any](ctx context.Context, assumeFunc func(context.Context, *Input, ...func(*sts.Options)) (*Output, error), input *Input) *Output {
+func waitUntilRoleIsAssumable[Input any, Output any, O any](
+	ctx context.Context,
+	assumeFunc func(context.Context, *Input, ...func(O)) (*Output, error),
+	input *Input,
+	optionsFunc func(O),
+) *Output {
 	ctx, cancel := context.WithTimeout(ctx, stsAssumeRoleTimeout)
 	defer cancel()
 
-	output, err := assumeFunc(ctx, input, func(o *sts.Options) {
-		o.Retryer = retry.AddWithErrorCodes(o.Retryer, stsAssumeRoleRetryCode)
-		o.Retryer = retry.AddWithMaxAttempts(o.Retryer, stsAssumeRoleRetryMaxAttemps)
-		o.Retryer = retry.AddWithMaxBackoffDelay(o.Retryer, stsAssumeRoleRetryMaxBackoffDelay)
-	})
+	output, err := assumeFunc(ctx, input, optionsFunc)
 	framework.ExpectNoError(err)
 	gomega.Expect(output).ToNot(gomega.BeNil())
 
 	return output
 }
 
-// waitUntilRoleIsAssumableEKS waits until the given role is assumable.
-// This is needed because we're creating new roles in our test cases and then trying to assume those roles,
-// but there is a delay between IAM and STS services and newly created roles/policies does not appear on STS immediately.
-func waitUntilRoleIsAssumableEKS[Input any, Output any](ctx context.Context, assumeFunc func(context.Context, *Input, ...func(*eksauth.Options)) (*Output, error), input *Input) *Output {
-	ctx, cancel := context.WithTimeout(ctx, stsAssumeRoleTimeout)
-	defer cancel()
-
-	output, err := assumeFunc(ctx, input, func(o *eksauth.Options) {
-		o.Retryer = retry.AddWithErrorCodes(o.Retryer, stsAssumeRoleRetryCode, "AccessDeniedException")
+func waitUntilRoleIsAssumableSTS[Input any, Output any](
+	ctx context.Context,
+	assumeFunc func(context.Context, *Input, ...func(*sts.Options)) (*Output, error),
+	input *Input,
+) *Output {
+	return waitUntilRoleIsAssumable(ctx, assumeFunc, input, func(o *sts.Options) {
+		o.Retryer = retry.AddWithErrorCodes(o.Retryer, stsAssumeRoleRetryCode)
 		o.Retryer = retry.AddWithMaxAttempts(o.Retryer, stsAssumeRoleRetryMaxAttemps)
 		o.Retryer = retry.AddWithMaxBackoffDelay(o.Retryer, stsAssumeRoleRetryMaxBackoffDelay)
 	})
+}
 
-	framework.ExpectNoError(err)
-	gomega.Expect(output).ToNot(gomega.BeNil())
-
-	return output
+func waitUntilRoleIsAssumableEKS[Input any, Output any](
+	ctx context.Context,
+	assumeFunc func(context.Context, *Input, ...func(*eksauth.Options)) (*Output, error),
+	input *Input,
+) *Output {
+	return waitUntilRoleIsAssumable(ctx, assumeFunc, input, func(o *eksauth.Options) {
+		o.Retryer = retry.AddWithErrorCodes(o.Retryer, eksauthAssumeRoleRetryCode)
+		o.Retryer = retry.AddWithMaxAttempts(o.Retryer, eksauthAssumeRoleRetryMaxAttemps)
+		o.Retryer = retry.AddWithMaxBackoffDelay(o.Retryer, eksauthAssumeRoleRetryMaxBackoffDelay)
+	})
 }
 
 func waitUntilRoleIsAssumableWithWebIdentity(ctx context.Context, f *framework.Framework, sa *v1.ServiceAccount) {
@@ -875,7 +887,7 @@ func waitUntilRoleIsAssumableWithWebIdentity(ctx context.Context, f *framework.F
 	framework.ExpectNoError(err)
 
 	client := sts.NewFromConfig(awsConfig(ctx))
-	waitUntilRoleIsAssumable(ctx, client.AssumeRoleWithWebIdentity, &sts.AssumeRoleWithWebIdentityInput{
+	waitUntilRoleIsAssumableSTS(ctx, client.AssumeRoleWithWebIdentity, &sts.AssumeRoleWithWebIdentityInput{
 		RoleArn:          ptr.To(roleARN),
 		RoleSessionName:  ptr.To(f.BaseName),
 		WebIdentityToken: ptr.To(serviceAccountToken.Status.Token),

tests/e2e-kubernetes/testsuites/util.go

@@ -250,8 +250,6 @@ func deletePodIdentityAssociations(ctx context.Context, sa *v1.ServiceAccount) {
 	})
 	framework.ExpectNoError(listErr)
 
-	framework.Logf("listOutput.Associations: %s", listOutput.Associations)
-
 	for _, association := range listOutput.Associations {
 		_, deleteErr := eksClient.DeletePodIdentityAssociation(ctx, &eks.DeletePodIdentityAssociationInput{
 			ClusterName:   &ClusterName,
@@ -261,7 +259,7 @@ func deletePodIdentityAssociations(ctx context.Context, sa *v1.ServiceAccount) {
 	}
 }
 
-func CSIDriverPod(ctx context.Context, f *framework.Framework) *v1.Pod {
+func csiDriverPod(ctx context.Context, f *framework.Framework) *v1.Pod {
 	ds := csiDriverDaemonSet(ctx, f)
 	client := f.ClientSet.CoreV1().Pods(csiDriverDaemonSetNamespace)