Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support use of IRSA for repository-s3 plugin credentials #2999

Closed
scaswell-tsys opened this issue Apr 20, 2022 · 2 comments · Fixed by #3475
Closed

Support use of IRSA for repository-s3 plugin credentials #2999

scaswell-tsys opened this issue Apr 20, 2022 · 2 comments · Fixed by #3475
Assignees
@reta
Labels
enhancement Enhancement or improvement to existing feature or request Plugins security Anything security related v2.1.0 Issues and PRs related to version 2.1.0 v2.2.0 v3.0.0 Issues and PRs related to version 3.0.0

Comments

@scaswell-tsys
Copy link

Is your feature request related to a problem? Please describe.
The corporate standard at our organization for products running inside AWS EKS is to use IAM Roles for Service Accounts (IRSA) to provide credentials for authentication to AWS services such as S3. This does not appear to be supported in the repository-s3 plugin.

Describe the solution you'd like
The ability to omit access key and secret key and have the repository-s3 plugin rely on the identity provided to the Pod running OpenSearch for credentials.

Describe alternatives you've considered
There are not a lot of alternatives. Until IRSA is supported we will be forced to use an access key/secret key combination. However this is contrary to the standard imposed by our Infosec organization and we'll be forced to obtain an exception (not an attractive proposition).

Additional context
We are specifically trying to deploy OpenSearch and repository-s3 plugin version 1.2.4. We have not tried to use version 1.3.1 but as far as I can tell (based on source code, documentation, and forums) IRSA is not supported in 1.3.1.
@scaswell-tsys scaswell-tsys added enhancement Enhancement or improvement to existing feature or request untriaged labels Apr 20, 2022
@Poojita-Raj Poojita-Raj added security Anything security related Plugins and removed untriaged labels Apr 20, 2022
@reta reta self-assigned this May 27, 2022
@reta
Copy link
Collaborator

reta commented May 27, 2022

@Poojita-Raj taking it if no one is working on it

@reta reta mentioned this issue May 30, 2022
Merged
5 tasks
@reta reta added v2.1.0 Issues and PRs related to version 2.1.0 v3.0.0 Issues and PRs related to version 3.0.0 v2.2.0 labels Jun 2, 2022
@reta reta mentioned this issue Jun 2, 2022
Closed
@reta
Copy link
Collaborator

reta commented Jun 2, 2022

@scaswell-tsys do you have the opportunity to verify the IRSA flow? (it was tested successfully on AWS EKS)

@reta reta mentioned this issue Jun 3, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reta reta

Labels
enhancement Enhancement or improvement to existing feature or request Plugins security Anything security related v2.1.0 Issues and PRs related to version 2.1.0 v2.2.0 v3.0.0 Issues and PRs related to version 3.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support use of IRSA for repository-s3 plugin credentials reta/OpenSearch
3 participants
@reta @Poojita-Raj @scaswell-tsys