Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for IAM Role for Service Account (IRSA) if using AWS / Support for KIAM #184

Open
kartik-moolya opened this issue Jul 28, 2021 · 2 comments
Open

Support for IAM Role for Service Account (IRSA) if using AWS / Support for KIAM #184

kartik-moolya opened this issue Jul 28, 2021 · 2 comments
Labels
enhancement New feature or request

Comments

@kartik-moolya
Copy link

kartik-moolya commented Jul 28, 2021
edited
Loading

Hi team,
My request is pretty straightforward and I believe you must have already though about it. I need to use IAM Role for Service Account to be able to access my AWS Elasticsearch, and Minio (AWS S3 Bucket) also AmazonMQ if required
The current Reporting Portal helm chart configuration does not allow this feature as of now. Having AWS access keys in the code would raise security concerns no matter how safely I store it also it needs to be rotated frequently.

My painpoint is

  • Need to use iam roles instead of AWS access keys for S3 bucket, ES and everything possible

Below would be the initial steps to get started with this issue -

  • Add a capability to specify annotations for service account which would be used by ReportingPortal to access AWS Elasticsearch, S3 bucket via Minio
  • Use a compatible AWS SDK to allow IAM Role for Service Accounts.

This could be the only reason folks on AWS are thinking twice before using this portal. Any help would be appreciated
@hlebkanonik hlebkanonik added the enhancement New feature or request label May 16, 2024
@dracut5
Copy link

dracut5 commented Jul 22, 2024

Hi,

I have noticed that the service account already supports annotations
https://github.com/reportportal/kubernetes/blob/reportportal-24.1.2/reportportal/templates/authorization/serviceaccount.yaml#L8

But the storage configuration still relies on DATASTORE_ACCESSKEY and DATASTORE_SECRETKEY - either from the secret or as plain values, as example
https://github.com/reportportal/kubernetes/blob/reportportal-24.1.2/reportportal/templates/service-api/api-deployment.yaml#L153-L169

The docs says that it is For AWS IAM role association

https://github.com/reportportal/kubernetes/blob/reportportal-24.1.2/reportportal/values.yaml#L667

I have tried to add eks.amazonaws.com/role-arn annotation to the service account and remove a reference to secretName, but got errors like

Caused by: org.jclouds.rest.AuthorizationException: HEAD https://reportportal****amazonaws.com/integration-secrets/secret-integration-salt HTTP/1.1 -> HTTP/1.1 403 Forbidden

Secrets were populated from defaults and it seems the services tried to use them ignoring the annotation with IAM role ARN.

I suppose, you are using some sort of standard HTTP client to sign and send requests to s3, correct?

It would be great to have IRSA option supported by Report Portal.

P.S. you are doing awesome things, many thanks!

@brainfair
Copy link

Hi! Any chance to get this implemented? since already 3y+ from initial request my hope isn't to big

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brainfair @dracut5 @hlebkanonik @kartik-moolya