Skip to content

Commit 0a72ad8

Browse files
tieumtieum
committed
add eks pod identity credentials support
1 parent 1a1b429 commit 0a72ad8

File tree

1 file changed

+38
-0
lines changed

1 file changed

+38
-0
lines changed

common/etc/nginx/include/awscredentials.js

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,12 @@ const EC2_IMDS_TOKEN_ENDPOINT = 'http://169.254.169.254/latest/api/token';
5858
*/
5959
const EC2_IMDS_SECURITY_CREDENTIALS_ENDPOINT = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/';
6060

61+
/**
62+
* URL to EKS Pod Identity Agent credentials endpoint
63+
* @type {string}
64+
*/
65+
const EKS_POD_IDENTITY_AGENT_CREDENTIALS_ENDPOINT = 'http://169.254.170.23/v1/credentials'
66+
6167
/**
6268
* Offset to the expiration of credentials, when they should be considered expired and refreshed. The maximum
6369
* time here can be 5 minutes, the IMDS and ECS credentials endpoint will make sure that each returned set of credentials
@@ -293,6 +299,15 @@ async function fetchCredentials(r) {
293299
r.return(500);
294300
return;
295301
}
302+
}
303+
else if (utils.areAllEnvVarsSet('AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE')) {
304+
try {
305+
credentials = await _fetchEKSPodIdentityCredentials(r)
306+
} catch (e) {
307+
utils.debug_log(r, 'Could not assume role using EKS pod identity: ' + JSON.stringify(e));
308+
r.return(500);
309+
return;
310+
}
296311
} else {
297312
try {
298313
credentials = await _fetchEC2RoleCredentials();
@@ -378,6 +393,29 @@ async function _fetchEC2RoleCredentials() {
378393
};
379394
}
380395

396+
/**
397+
* Get the credentials needed to generate AWS signatures from the EKS Pod Identity Agent
398+
* endpoint.
399+
*
400+
* @returns {Promise<Credentials>}
401+
* @private
402+
*/
403+
async function _fetchEKSPodIdentityCredentials() {
404+
const token = fs.readFileSync(process.env['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE']);
405+
let resp = await ngx.fetch(EKS_POD_IDENTITY_AGENT_CREDENTIALS_ENDPOINT, {
406+
headers: {
407+
'Authorization': token,
408+
},
409+
});
410+
const creds = await resp.json();
411+
412+
return {
413+
accessKeyId: creds.AccessKeyId,
414+
secretAccessKey: creds.SecretAccessKey,
415+
sessionToken: creds.Token,
416+
expiration: creds.Expiration,
417+
};
418+
}
381419
/**
382420
* Get the credentials by assuming calling AssumeRoleWithWebIdentity with the environment variable
383421
* values ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_SESSION_NAME

0 commit comments

Comments
 (0)