spring-cloud-aws icon indicating copy to clipboard operation
spring-cloud-aws copied to clipboard

Published 20 hours ago verified publisher icon awspring

Apply EKS Pod Identity when using spring-cloud-aws-autoconfigure

Open YoungJinJung opened this issue 1 year ago • 5 comments

Type: Feature

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] We are currently applying IAM Role to our EKS service using EKS IRSA. And when booting up, sensitive information (ex. DB Password, API Token, etc.) is injected through secretsmanager in spring boot's application.yml. I tried to apply the EKS Pod Identity from this 2023 reinvent, but confirmed that it was not yet in aws-autoconfigure. I tried applying eksauth, but found that the following error occurred. Therefore, we would like to request additional functionality to apply this.

2023-12-09 08:25:19.912 INFO  i.a.c.s.AwsSecretsManagerPropertySources:255 -   - Loading secrets from AWS Secret Manager secret with name: /secret/application, optional: true
2023-12-09 08:25:19.912 WARN  i.a.c.s.AwsSecretsManagerPropertySources:258 -   - Unable to load AWS secret from /secret/application. Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@10805e25: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@4aa77358: The full URI (http://169.254.170.23/v1/credentials) contained withing environment variable AWS_CONTAINER_CREDENTIALS_FULL_URI has an invalid host. Host should resolve to a loopback address or have the full URI be HTTPS.]

implementation ("software.amazon.awssdk:eksauth:2.21.41")
implementation("io.awspring.cloud:spring-cloud-aws-autoconfigure:2.4.4")
implementation("io.awspring.cloud:spring-cloud-starter-aws-secrets-manager-config:2.4.4")
implementation ("software.amazon.awssdk:sts:2.21.40")

Describe the solution you'd like A clear and concise description of what you want to happen. Since the class is initialized, when checking the CredentialProviderChain, it would be sufficient to add logic to check whether the property related to the EKS Pod Identity is set.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

YoungJinJung avatar Dec 09 '23 09:12 YoungJinJung

I don't know much about EKS, so would you be interested in contributing PR?

maciejwalkowiak avatar Dec 09 '23 11:12 maciejwalkowiak

I don't know much about EKS, so would you be interested in contributing PR?

Sure, I'll try to contributing PR.

YoungJinJung avatar Dec 11 '23 00:12 YoungJinJung

Any idea when can get this fixed . we are also facing this issues.

ramyogi7283 avatar Jan 08 '24 16:01 ramyogi7283

@ramyogi7283 contributions welcome

maciejwalkowiak avatar Jan 08 '24 20:01 maciejwalkowiak

@maciejwalkowiak Hello, Could you please review the PR above If it's not too distracting or too busy?

YoungJinJung avatar Apr 21 '24 07:04 YoungJinJung