-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for temporary AWS IAM credentials (using session tokens) from secrets #2495
Comments
That sounds like a reasonable ask and nice improvement. Thoughts @kedacore/keda-maintainers? Thanks for suggesting to contributing this! |
I'm not totally sure about this. Could you share a high level description about the solution you are thinking on? (how to manage the token expiration, how to use one or the other,...) |
When I look at the docs for the sqs scaler, I see keda/pkg/scalers/aws_sqs_queue_scaler.go Line 124 in 2446b8e
I haven't yet explored the lifetime of these creds objects, or how KEDA behaves if static credentials become invalid or the underlying secret changes. I'd assume this has been considered already, as static credentials can become invalid and the secrets containing the credentials can change. This would just happen more frequently if temporary creds (using session tokens) were supported. If the concept of adding support for temporary credentials sounds acceptable in general, I'll proceed by examining the lifetime of these credential objects, determine how KEDA currently handles expirations/secret changes (assuming the credential object lifetimes are long enough to warrant this), and if needed, propose any changes that would be necessary to support temporary credentials. |
Hi @JacobHenner |
I've got the session tokens working, but only the keda-operator component seems to re-read the secret if auth starts failing due to token expiration. I've spent some time looking into how this could be handled in the metrics server component, and haven't yet figured it out. I'll revisit this in the next few days. |
Hello,
In my environment there are situations where temporary (sts-generated) IAM role credentials are stored in Kubernetes secrets and updated as needed. In this environment IRSA is unavailable, and we cannot permit KEDA to assume-role.
Instead, it'd be great if we could use the existing static credentials mechanism, and add support for specifying session tokens (needed for temporary credentials). For example:
If this proposal is acceptable, I can craft the PR. Adding support for the extra value seems to be straightforward. I just need to research how credential refreshing would be implemented (assuming it's needed), as these temporary creds would obviously expire after some time.
The text was updated successfully, but these errors were encountered: