fix: adjust credential chain #2958
Conversation
ekristen
requested review from
joe-elliott,
annanay25,
mdisibio,
mapno,
yvrhdn,
zalegrala,
electron0zero,
ie-pham and
stoewer
as code owners
|
|
| }, | ||
| }), | ||
| } | ||
| chain := []credentials.Provider{ |
There was a problem hiding this comment.
It doesn't. That's what this chain does, since v6.0.53 of minio package. https://github.com/grafana/tempo/pull/2958/files#diff-c0f785bb00d262f48124144ac01da108c80587ee0cbadb13f4451942be17dab3R443-R447
The other code doesn't seem to work right. I didn't troubleshoot it in depth, except for IRSA doesn't work, the minio client sdk can handle all the various methods.
There was a problem hiding this comment.
If that is removed the IDMSv1 will break again, I in parallel engaged with Minio and uncovered that it is actually a minio-go lib issue minio/minio-go#1866 fixed by minio/minio-go#1877 released in v7.0.63, if we could bump minio-go version we could revert the #2760.
|
Tested and it seems to solve our IRSA issue in EKS but I did not test any other cases. |
|
All the other methods are pretty easy to test. I've tested this chain in another tool, happy to have whoever test to get it merged. |
|
Any update on this PR? Would be great to have this fix released |
How would you test them? We're looking for a reliable way to test all the different auth modes. We manually tested the current implementation and it worked fine before. It feels we're going in circles with these S3 auth changes, as this PR is actually configuring the credential provider chain how it was in the first v2.2 release, before issue #2743 was reported and fixed. |
|
My suspicion to why it appear to not work in the first place is because one of the handlers in the chain probably retuned keys prior to getting to the IRSA chain. Most of the handlers are env vars or config file parsers, it would take sitting down and writing tests and having valid keys or testing keys were returned at a minimum. The IMDS ones would be most difficult because you'd either have to test on an AWS node with a role or intercept the call to 169.x. The IRSA can be done with GitHub actions as it provides an IDP tokens endpoint to auth to AWS. My changes work. Restic project uses the exact same chain as well, minus the weird v2 signature override function this project has going on. I'll see if I can find some time to see how difficult it would be too write some tests. |
|
@mapno The latest commit adds tests for the entire credential chain with calls to metadata service for instance profile role and IRSA being mocked. I excluded calls to ECS as I don't think that's a valid deployment target at this time. Tests will start to fail due to GitHub Actions OIDC to an AWS account not being setup. These instructions are being put at the top of the PR to be followed as well.
Trust PolicyNote: replace 123456123456 with your account id. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:grafana/tempo:*"
},
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
} |
|
Wow, thanks for the tests. I'll need to take a detailed look at them.
But the chain barely changes from its current state to your changes, no? It's the same chain, except for |
|
I think a lot of things got mixed together. It looks like there was some issues with IMDS and then IRSA (assume role with web identity) If the minio library is updated to the latest based on the other individuals comment and other this is merged or the other PRs are reverted then things should be ok. I updated the order of the chain to make more sense and added tests. |
|
Just reviewed the tests, they're a pretty nice addition! I still don't understand why the new chain works and the current doesn't, as it doesn't introduce changes from what we have now (or had in the past). Sorry if I'm being very obtuse here.
Would you like to take care of that change? I can do it if not. Thanks for the patience! Love to see these contributions in Tempo ❤️ |
|
Updated the dependency. I still thing this PR is the better way to go with the tests. |
|
I will rebase. |
|
Closing in favor of #3006 |
PR #2889 was suppose to fix this but it doesn't as far as I can tell. It's possibly because I have IDMS enabled too and not blocked, but you can't expect that to get blocked to make things work. (I read about this in one of the issues)
Simply switching the chain flow up a bit resolves this issue without the need of if statements makes this all work again, which is what this PR does.
I've build the image and am hosting it at
ghcr.io/ekristen/tempo:2.2.3-ek1if you'd like to test it out.What this PR does:
Fixes AWS authentication for IRSA.
Which issue(s) this PR fixes:
Fixes #2888
Checklist
CHANGELOG.mdupdated - the order of entries should be[CHANGE],[FEATURE],[ENHANCEMENT],[BUGFIX]Configuring IRSA Testing with GitHub Actions
tempo-testsTrust Policy
Note: replace 123456123456 with your account id.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": "repo:grafana/tempo:*" }, "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" } } } ] }