community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon aws-controllers-k8s

Bypassing the CallerIdentity validation for running tests

Open grameshtwilio opened this issue 3 years ago • 4 comments

Is your feature request related to a problem? I would like to test some of the ACK controllers with my localstack environment where I pass test credentials to the controller as environment variables. However, the controller errors at this line

Describe the solution you'd like If a config variable such as AWS_ACCOUNT_ID is set, then the GetCallerIdentity validation is skipped.

Describe alternatives you've considered Any alternate suggestion to achieve the same goal is perfect

grameshtwilio avatar Aug 11 '22 17:08 grameshtwilio

We used to have a --aws-acount-id flag before. I'm not against bringing it back and using it if GetCallerIdentity fails somehow. @aws-controllers-k8s/runtime-maintainer thoughts?

a-hilaly avatar Aug 11 '22 18:08 a-hilaly

I found the PR that removed the --aws-account-id flag. It would be great to get it back or enabling something along the lines of a--local-run flag that skips the validation check

grameshtwilio avatar Aug 12 '22 00:08 grameshtwilio

I don't think it's safe to add flag that skips all validation checks on a binary that will be running on production.. however i don't see a problem with using --aws-account-id to override/default a value. In the mean time you can use a custom runtime library for your tests. Most of the controllers have a local go.mod file that replaces the upstream runtime module with your local one https://github.com/aws-controllers-k8s/s3-controller/blob/main/go.local.mod#L5

You can also building controller images using the local go.mod file by using make build-local-controller-image

a-hilaly avatar Aug 12 '22 10:08 a-hilaly

Hi @grameshtwilio! Sorry for delay in commenting on this.

I'm not in favor of adding back the --aws-account-id CLI arg for the reasons noted in the PR you linked: it was causing confusion for users during the install/startup process.

I'm similarly not keen to add a flag that skips verification steps for the same reasons that @A-Hilaly mentioned.

From looking at the localstack docs, it looks like you can have localstack run STS (by default on localhost port 4592). You can then simply pass --endpoint-url as https://localhost:4592 and should be good to go. :)

jaypipes avatar Sep 13 '22 20:09 jaypipes

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

eks-bot avatar Dec 12 '22 22:12 eks-bot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle rotten

ack-bot avatar Jan 11 '23 23:01 ack-bot

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Provide feedback via https://github.com/aws-controllers-k8s/community. /close

ack-bot avatar Feb 11 '23 04:02 ack-bot

@ack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Provide feedback via https://github.com/aws-controllers-k8s/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ack-prow[bot] avatar Feb 11 '23 04:02 ack-prow[bot]