Is your feature request related to a problem? Please describe.
Using static AWS credentials is discouraged. IRSA is the canonical way for Kubernetes pods to access AWS services, including S3.
Describe the solution you'd like
Support using IRSA to provision credentials rather than explicitly provided credentials.
Describe alternatives you've considered
Creating static credentials is generally discouraged. If the provider supporter a session token in addition to the access key id and secret key one could implement a helper pod to keep the secret populated with current credentials derived from IRSA.
Additional context
It does not appear that the plugin supports configuration without static keys. When I remove .spec.storage.s3.accessKeyId and .spec.storage.s3.accessKeySecret the controller crashes with a nil dereference.
Impact
Implementing this would improve the security and simplify the configuration for clusters already using IRSA.
Implementation ideas (optional)
There are environment variables (AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN) which can be used to identify that IRSA is the desired credential source.
Is your feature request related to a problem? Please describe.
Using static AWS credentials is discouraged. IRSA is the canonical way for Kubernetes pods to access AWS services, including S3.
Describe the solution you'd like
Support using IRSA to provision credentials rather than explicitly provided credentials.
Describe alternatives you've considered
Creating static credentials is generally discouraged. If the provider supporter a session token in addition to the access key id and secret key one could implement a helper pod to keep the secret populated with current credentials derived from IRSA.
Additional context
It does not appear that the plugin supports configuration without static keys. When I remove
.spec.storage.s3.accessKeyIdand.spec.storage.s3.accessKeySecretthe controller crashes with a nil dereference.Impact
Implementing this would improve the security and simplify the configuration for clusters already using IRSA.
Implementation ideas (optional)
There are environment variables (
AWS_WEB_IDENTITY_TOKEN_FILEandAWS_ROLE_ARN) which can be used to identify that IRSA is the desired credential source.