Support AWS environments without instance metadata endpoint #885
Labels
type: feature request
‘Nice-to-have’ improvement, new feature or different behavior or design.
Comments
mmalecki
added a commit
to goes-funky/google-auth-library-python
that referenced
this issue
Jun 27, 2024
The container credential provider is used on AWS ECS and AWS EKS. It presents a different API and integration surface than IMDS, and so custom code is required to make use of it. Ref: https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html We successfully tested this in a Workload Identity Provider and service account impersonation scenario. Fixes googleapis#885. Fixes googleapis#1099.
mmalecki
added a commit
to goes-funky/google-auth-library-python
that referenced
this issue
Jun 27, 2024
The container credential provider is used on AWS ECS and AWS EKS. It presents a different API and integration surface than IMDS, and so custom code is required to make use of it. Ref: https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html We successfully tested this in a Workload Identity Provider and service account impersonation scenario. Fixes googleapis#885. Fixes googleapis#1099.
mmalecki
added a commit
to goes-funky/google-auth-library-python
that referenced
this issue
Jun 27, 2024
The container credential provider is used on AWS ECS and AWS EKS. It presents a different API and integration surface than IMDS, and so custom code is required to make use of it. Ref: https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html We successfully tested this in a Workload Identity Provider and service account impersonation scenario. Fixes googleapis#885. Fixes googleapis#1099.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
When trying to use identity federation on an AWS environment that does not have the EC2 instance metadata endpoint available (in my case ECS Fargate, but this should apply to Lambda as well) the library fails to obtain credentials.
Describe the solution you'd like
For the library to fall back to another credential source if the EC2 instance metadata endpoint is not available. If this is not possible it would also help if it was documented that the instance metadata endpoint is required, or if the library flags more clearly it cannot find the instance metadata endpoint.
Describe alternatives you've considered
To work around this issue, I exposed (temporary) AWS credentials as environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN) to prevent the library from using the metadata endpoint.Additional context
Unfortunately I no longer have access to an AWS environment to reproduce this issue, but I wanted to share this information since I thought this might be helpful.
The text was updated successfully, but these errors were encountered: