Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update aws-go-sdk to support EKS Pod Identity #5219

Open
bhvishal9 opened this issue Oct 30, 2024 · 3 comments
Open

Update aws-go-sdk to support EKS Pod Identity #5219

bhvishal9 opened this issue Oct 30, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@bhvishal9
Copy link

Is your feature request related to a problem? Please describe.
Currently boundary doesn't support EKS pod identity which is a much simpler way to provide AWS access. The newer versions of aws-sdk-go support EKS pod identity, it was added in version 1.47.1.

There is an error if you use the latest version of boundary 0.18.0 on EKS

Error parsing KMS configuration: error setting configuration on the kms plugin: rpc error: code = Unknown desc = error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Describe the solution you'd like
Boundary should work on EKS if using EKS pod identity for providing KMS access.

Describe alternatives you've considered
The other solution is to use IAM roles for service accounts or pass access keys/secret access keys to the configuration.
@bhvishal9 bhvishal9 added the enhancement New feature or request label Oct 30, 2024
@Rachana-hashi
Copy link
Collaborator

Hi there,
Thank you for reaching out to us. I had a few questions regarding this ask.

  1. Is the error posted below received when using EKS pod identity with boundary 0.18?
    Error parsing KMS configuration: error setting configuration on the kms plugin: rpc error: code = Unknown desc = error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors

  2. Have you tried using EKS pod identity work with any earlier versions of boundary? Just wanted to understand if the error is because of the 0.18 version of boundary or because there is no support.

  3. With the alternative you provided, does it give you the desired outcome? Are you able to use EKS pod identity for KMS access

@bhvishal9
Copy link
Author

Hey @Rachana-hashi Sorry for not providing those details before but here it is:

  1. Yes, I was using version 0.18.
  2. I tried 0.17 as well and had same issue, I think it is because there is no support for it yet as the go aws sdk version seems older than the version that started supporting pod identity.
  3. No, those are alternatives to pod identity itself, I can either use the older methods like IAM roles for service accounts(IRSA)/access keys-secret access keys or I can use the pod identity.

@Rachana-hashi
Copy link
Collaborator

Hi Vishal,

Thanks for answering the questions. Are you using Vault with Boundary here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bhvishal9 @Rachana-hashi