Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-12585

Support IAM roles for K8s service accounts to use for ES request signing

XMLWordPrintable

    • 2
    • 1
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      In EKS it is possible to tie IAM roles to K8s service accounts https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/. AWS SDK has been updated to start supporting this feature. In particular https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/WebIdentityTokenCredentialsProvider.java has been introduced in aws java sdk.

      Bitbucket uses https://github.com/inreachventures/aws-signing-request-interceptor which uses an old version of aws java sdk, thus there's no WebIdentityTokenCredentialsProvider and Bitbucket uses IAM role attached to a Node or profile instead of the one attached to a service account.

      Perhaps, it's either possible to fork https://github.com/inreachventures/aws-signing-request-interceptor and update aws java sdk, or repackage aws-signing-request-interceptor jra during build so that it has was sdk at least 1.11.603.

              Unassigned Unassigned
              c64f33b2bce3 Yevhen
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: