Skip to content

Use default AWS creds chain to support EKS Pod Identity #2446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ryangoldblatt-bm wants to merge 1 commit into
base: v1-dev
Choose a base branch
from
Open

Use default AWS creds chain to support EKS Pod Identity #2446

ryangoldblatt-bm wants to merge 1 commit into from

Conversation

@ryangoldblatt-bm
Copy link

@ryangoldblatt-bm ryangoldblatt-bm commented Oct 14, 2025
edited
Loading

Description

Use default AWS credentials chain to support EKS Pod Identity.

Currently the AWS authentication is hard-coded to support IRSA only by checking for injected env variables AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN.

These changes use the default AWS credentials chain which also supports EKS Pod Identity (which inject env variable AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE instead).

Pod Identity is a simpler approach in EKS than IRSA since OIDC identity providers are not needed, see here.

Which issue(s) does this PR resolve?

n/a

Type of change

  • New feature (non-breaking change which adds functionality)

Testing and verification

Related unit test passes:

go test -v -run TestAwsEcrBasicAuthProvider ./pkg/common/oras/authprovider/aws/

=== RUN   TestAwsEcrBasicAuthProvider_Create
--- PASS: TestAwsEcrBasicAuthProvider_Create (0.00s)
=== RUN   TestAwsEcrBasicAuthProvider_Enabled
time="2025-10-14T14:43:29+01:00" level=error msg="basic ECR providerName was empty"
--- PASS: TestAwsEcrBasicAuthProvider_Enabled (0.00s)
=== RUN   TestAwsEcrBasicAuthProvider_ProvidesWithArtifact
--- PASS: TestAwsEcrBasicAuthProvider_ProvidesWithArtifact (0.00s)
=== RUN   TestAwsEcrBasicAuthProvider_ProvidesWithHost
--- PASS: TestAwsEcrBasicAuthProvider_ProvidesWithHost (0.00s)
=== RUN   TestAwsEcrBasicAuthProvider_GetAuthTokenWithoutRegion
--- PASS: TestAwsEcrBasicAuthProvider_GetAuthTokenWithoutRegion (0.00s)
PASS
ok  	github.com/ratify-project/ratify/pkg/common/oras/authprovider/aws	(cached)

We've also build and tested this patch in our environment which now enables Ratify to use EKS Pod Identity rather the IRSA to authenticate to our ECR repo.

Checklist

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post merge requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

@ryangoldblatt-bm
Use default AWS creds chain to support pod identity
524b0f6 
Signed-off-by: Ryan Goldblatt <ryan.goldblatt@bitmex.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

@binbin-li binbin-li Awaiting requested review from binbin-li binbin-li is a code owner

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@susanshi susanshi Awaiting requested review from susanshi susanshi is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryangoldblatt-bm