Support for EKS Pod Identities

[jtschelling]

Describe the feature

When I try and use this github action to assume into a role that my pod has the permissions to assume into the action errors out with Error: Credentials could not be loaded, please check your action inputs: 169.254.170.23 is not a valid container metadata service hostname

This github action does not currently support the pod identities feature tmk.

Use Case

I have an EKS cluster that I run self-hosted runners in through the actions-runner-controller project. I want to use pod identities to simplify my IAM management.

Proposed Solution

Use the client-eks-auth feature in the aws sdk https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-eks-auth/README.md

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

[tim-finnigan]

Thanks for the feature request. Here is documentation on EKS Pod Identities for our reference: https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html.

Others can 👍this issue to show support and comment to share use cases and additional info.

[jmbravo]

Probably related with aws/aws-sdk-js-v3#5709 ?

I'm getting the same error.

Got the same error also in Atlantis pod but upgrading Terraform AWS provider fixed the issue

@jtschelling did you find a workaround for this?

[yurii-kryvosheia]

@jmbravo the workaround is to use v2.2.0 🤷🏼‍♂️

[jmbravo]

@jmbravo the workaround is to use v2.2.0 🤷🏼‍♂️

In which component?

[yurii-kryvosheia]

@jmbravo the workaround is to use v2.2.0 🤷🏼‍♂️

In which component?

In configure-aws-credentials action.

[casey-robertson-paypal]

This is the auth method that AWS recommends for EKS - it's been over 6 months now.....

[gabordk]

@tim-finnigan sorry for bugging but using pod identities is the official, AWS recommended way to access AWS resources.
Could you please raise the priority of this issue?
Thanks.

[gabordk]

@jmbravo the workaround is to use v2.2.0 🤷🏼‍♂️

In which component?

In configure-aws-credentials action.

Hi @yurii-kryvosheia, would you mind giving a little bit more detailed description how did you managed to go around this issue? Thanks a lot.

[jmbravo]

@jmbravo the workaround is to use v2.2.0 🤷🏼‍♂️

In which component?

In configure-aws-credentials action.

EKS Pod Identity doesn't work in any aws-credential version (that's the purpose of this issue), I still don't understand your point.

[yurii-kryvosheia]

@jmbravo the workaround is to use v2.2.0 🤷🏼‍♂️

In which component?

In configure-aws-credentials action.

Hi @yurii-kryvosheia, would you mind giving a little bit more detailed description how did you managed to go around this issue? Thanks a lot.

I'm sorry, I didn't dig into this issue, I just rolled back to v2.2.0.

[bogdan-matei]

It seems that this has been fixed in aws/aws-sdk-js-v3#5739 so the SDK version should be updated.
The repository received lots of updates meantime, but no tags have been release.

I just checked out this commit 0fc95ed93529d540ccff34b6c330f66318bdc888 rather than a specific tag and EKS Pod Identity works.