kroxylicious icon indicating copy to clipboard operation
kroxylicious copied to clipboard
verified publisher icon kroxylicious

AWS KMS - support authentication from Kubernetes service-accounts (EKS)

Open k-wall opened this issue 1 year ago • 1 comments

Is your feature request related to a problem? Please describe.

This issue separates out one of the two enhancement requests described by #1282.

Currently the proxy requires a long-lived AWS access key/secret key combination to authenticate to AWS. Whilst this authentication is supported, as it not seen as the most secure option.

For use cases when the proxy binary is running in Amazon EKS, the preferred approach is for the IAM roles to be attached to a service account. The service account OIDC token can then by retrieved by the application and exchanged for temporary credentials from AWS Security Token Service. These temporary credentials can then be used to interact with the AWS API.

Describe the solution you'd like

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

k-wall avatar Jun 05 '24 18:06 k-wall

EKS

if the proxy binary is running in Amazon EKS, IAM roles can be attached to service accounts but I don't see in the AWS docs a reference to how those credentials can be retrieved outside of using the AWS SDK.

I understand that the IAM role gets attached to the Kubernetes service account. The pod using the service account is then able to operate with permission granted by the IAM role against the AWS API. The AWS docs talk about how the AWS SDK works:

To use the credentials from IAM roles for service accounts, your code can use any AWS SDK to create a client for an AWS service with an SDK, and by default the SDK searches in a chain of locations for AWS Identity and Access Management credentials to use. The IAM roles for service accounts credentials will be used if you don't specify a credential provider when you create the client or otherwise initialized the SDK. This works because IAM roles for service accounts have been added as a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an IAM roles for service accounts for the same workload. The SDK automatically exchanges the service account OIDC token for temporary credentials from AWS Security Token Service by using the AssumeRoleWithWebIdentity action. Amazon EKS and this SDK action continue to rotate the temporary credentials by renewing them before they expire.

It sounds possible for the KMS integration to follow the same approach, but this needs to be validated.

We also want to understand how similar/different things are for ROSA.

  • https://docs.openshift.com/rosa/authentication/assuming-an-aws-iam-role-for-a-service-account.html

For OpenShift on AWS (OSD) I found only this.

  • https://www.redhat.com/en/blog/running-pods-in-openshift-with-aws-iam-roles-for-service-accounts-aka-irsa

k-wall avatar Jun 05 '24 19:06 k-wall