Request
(Identified by @goynam when @hoophalab when helping in a live debug session to deploy the Helm chart. Thanks @goynam a lot for bringing this to our attention!)
CLP's Helm chart currently supports AWS authentication only through long-term credentials (access key ID and secret access key) configured via credentials. However, many organizations enforce security policies that prohibit the use of long-term credentials on EKS. Without IAM role support, the log_ingestor and S3-based storage features are unusable for these users.
We need to add support for IAM roles (e.g., IAM Roles for Service Accounts / IRSA, or EC2
instance profile-based roles) so that CLP containers can authenticate with AWS services (S3, etc.) without requiring static credentials.
This is a blocker for users who need to use S3-based logs_input or archive_output storage on EKS clusters with strict credential policies.
Possible implementation
-
Use IRSA (IAM Roles for Service Accounts): IRSA is the standard mechanism for IAM authentication on EKS. When a pod uses a Kubernetes ServiceAccount annotated with an IAM role ARN, EKS automatically injects the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables and mounts the projected token volume via a mutating webhook.
-
Update Rust utilities to use the AWS SDK's default credential provider chain: CLP's Rust-based components (e.g., log_ingestor) currently rely on credential files. These need to be updated to use the AWS SDK's default credential provider chain, which automatically resolves credentials from environment variables, IRSA tokens, and instance metadata in order of priority.
-
Helm chart changes:
- Allow users to specify a Kubernetes
ServiceAccount (or create one) with the eks.amazonaws.com/role-arn annotation for IRSA.
- Remove the hard requirement for
aws_config_directory when IAM roles are configured.
Request
(Identified by @goynam when @hoophalab when helping in a live debug session to deploy the Helm chart. Thanks @goynam a lot for bringing this to our attention!)
CLP's Helm chart currently supports AWS authentication only through long-term credentials (access key ID and secret access key) configured via
credentials. However, many organizations enforce security policies that prohibit the use of long-term credentials on EKS. Without IAM role support, thelog_ingestorand S3-based storage features are unusable for these users.We need to add support for IAM roles (e.g., IAM Roles for Service Accounts / IRSA, or EC2
instance profile-based roles) so that CLP containers can authenticate with AWS services (S3, etc.) without requiring static credentials.
This is a blocker for users who need to use S3-based
logs_inputorarchive_outputstorage on EKS clusters with strict credential policies.Possible implementation
Use IRSA (IAM Roles for Service Accounts): IRSA is the standard mechanism for IAM authentication on EKS. When a pod uses a Kubernetes ServiceAccount annotated with an IAM role ARN, EKS automatically injects the
AWS_ROLE_ARNandAWS_WEB_IDENTITY_TOKEN_FILEenvironment variables and mounts the projected token volume via a mutating webhook.Update Rust utilities to use the AWS SDK's default credential provider chain: CLP's Rust-based components (e.g.,
log_ingestor) currently rely on credential files. These need to be updated to use the AWS SDK's default credential provider chain, which automatically resolves credentials from environment variables, IRSA tokens, and instance metadata in order of priority.Helm chart changes:
ServiceAccount(or create one) with theeks.amazonaws.com/role-arnannotation for IRSA.aws_config_directorywhen IAM roles are configured.