Respect Audience Annotation #388

aaronb-sb · 2024-08-06T16:11:46Z

While EKS OIDC creation defaults to sts.amazonaws.com kops defaults to amazonaws.com, but the bigger thing is to be completely compliant with pod-identity-webhook the audience annotation must be respected instead of a hard coded constant.

Code Changes in auth.go

	arnAnno         = "eks.amazonaws.com/role-arn"
	audienceAnno    = "eks.amazonaws.com/audience"
	docURL          = "https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html"
	defaultAudience = "sts.amazonaws.com"
	ProviderName    = "secrets-store-csi-driver-provider-aws"
)

func (p authTokenFetcher) FetchToken(ctx credentials.Context) ([]byte, error) {
	svcAcc, err := p.k8sClient.ServiceAccounts(p.nameSpace).Get(ctx, p.svcAcc, metav1.GetOptions{})
	if err != nil {
		return nil, err
	}

	audience := svcAcc.Annotations[audienceAnno]
	if len(audience) <= 0 {
		audience = defaultAudience
	}

	// Use the K8s API to fetch the token from the OIDC provider.
	tokRsp, err := p.k8sClient.ServiceAccounts(p.nameSpace).CreateToken(ctx, p.svcAcc, &authv1.TokenRequest{
		Spec: authv1.TokenRequestSpec{
			Audiences: []string{audience},
		},
	}, metav1.CreateOptions{})
	if err != nil {
		return nil, err
	}

	return []byte(tokRsp.Status.Token), nil
}

The text was updated successfully, but these errors were encountered:

simonmarty · 2024-11-04T19:58:25Z

Closing in favor of #300 , we're working on pod identity support.

aaronb-sb added the enhancement New feature or request label Aug 6, 2024

simonmarty closed this as completed Nov 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Respect Audience Annotation #388

Respect Audience Annotation #388

aaronb-sb commented Aug 6, 2024

simonmarty commented Nov 4, 2024

Respect Audience Annotation #388

Respect Audience Annotation #388

Comments

aaronb-sb commented Aug 6, 2024

Code Changes in auth.go

simonmarty commented Nov 4, 2024