The AWS SDKs have support for authenticating to the AWS API by using a Web Identity Provider. This is very convenient when running services inside of EKS (Elastic Kubernetes Service) as it allows you to grant specific services inside of Kubernetes access to a specific AWS IAM role, which controls which permission that service has.
This page talks about how to configure it in Kubernetes, while this page lists which SDK versions support this feature. It mentions you need at least aws-sdk-go version 1.23.13, this codebase is currently on version 1.34.34, which is plenty:
|
github.com/aws/aws-sdk-go v1.34.34 |
Usually, it would then be enough to run the service inside EKS with the correct configuration set up for the service account, etc., and the service would then use the provided role when interacting with AWS, but that doesn't work for Telegraf. I'm guessing it's missing the necessary configuration inside https://github.com/influxdata/telegraf/blob/master/config/aws/credentials.go.
Would that be possible to add?
The Python SDK documentation also explains it pretty well:
https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#assume-role-with-web-identity-provider
The AWS SDKs have support for authenticating to the AWS API by using a Web Identity Provider. This is very convenient when running services inside of EKS (Elastic Kubernetes Service) as it allows you to grant specific services inside of Kubernetes access to a specific AWS IAM role, which controls which permission that service has.
This page talks about how to configure it in Kubernetes, while this page lists which SDK versions support this feature. It mentions you need at least aws-sdk-go version 1.23.13, this codebase is currently on version 1.34.34, which is plenty:
telegraf/go.mod
Line 29 in ffe92a7
Usually, it would then be enough to run the service inside EKS with the correct configuration set up for the service account, etc., and the service would then use the provided role when interacting with AWS, but that doesn't work for Telegraf. I'm guessing it's missing the necessary configuration inside https://github.com/influxdata/telegraf/blob/master/config/aws/credentials.go.
Would that be possible to add?
The Python SDK documentation also explains it pretty well:
https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#assume-role-with-web-identity-provider