Enabling long-running jobs to use federated STS assume role authentication for AWS resources. #34440
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
fixes #34441 |
|
Run Java_Amazon-Web-Services2_IO_Direct PreCommit |
|
Assigning reviewers. If you would like to opt out of this review, comment R: @m-trieu for label java. Available commands:
The PR bot will only process comments in the main thread (not review comments). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently long-running jobs, being those streaming or batch based, have limited options to authenticate against AWS services when running outside of AWS. In fact, the only viable option for batch pipelines or streaming pipelines that execute for more than X hours is to use a
StaticCredentialsProviderconfiguration, this approach imposes some scrutiny given that the use of such provider is discouraged in favor of using temporary credentials.AWSOptions enables the configuration of a provider named
StsAssumeRoleWithWebIdentityCredentialsProviderwhich will use short-lived credentials and uses OIDC web identity tokens to authenticate the AWS sdk in a federated way. The problem this implementation presents is that once a web identity token is created it normally has a predefined expiration date, for which the AWS requests will fail after the expiration time is reached.This change implements a
StsAssumeRoleWithDynamicWebIdentityCredentialsProviderwhich can be configured with a FQCN in charge of providing fresh web id tokens that can be used to authenticate against AWS services in a federated way. The implementation delegates to the classStsAssumeRoleWithWebIdentityCredentialsProvidermost of the logic, but creates the authentication request dynamically and attaches a refreshed web id token for all credential resolution requests.Also, a simple Google ADC web id token provider (
GoogleADCIdTokenProvider) is included for convenience, this enables XLang Dataflow pipelines to be configured without the need of including any Java code.GitHub Actions Tests Status (on master branch)
See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.