Skip to content

[FEATURE] Support IRSA for access #61

Description

@akloss-terion

Is your feature request related to a problem? Please describe.

Using static AWS credentials is discouraged. IRSA is the canonical way for Kubernetes pods to access AWS services, including S3.

Describe the solution you'd like

Support using IRSA to provision credentials rather than explicitly provided credentials.

Describe alternatives you've considered

Creating static credentials is generally discouraged. If the provider supporter a session token in addition to the access key id and secret key one could implement a helper pod to keep the secret populated with current credentials derived from IRSA.

Additional context

It does not appear that the plugin supports configuration without static keys. When I remove .spec.storage.s3.accessKeyId and .spec.storage.s3.accessKeySecret the controller crashes with a nil dereference.

Impact

Implementing this would improve the security and simplify the configuration for clusters already using IRSA.

Implementation ideas (optional)

There are environment variables (AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN) which can be used to identify that IRSA is the desired credential source.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions