fix: Implement IRSA mode to allow k8s deployments to use mounted service account auth (#98)

michaelbauerinc · web-flow · commit 915aceb35a36 · 2024-12-13T16:28:43.000+03:00
diff --git a/config/config.go b/config/config.go
@@ -26,6 +26,7 @@ type Instance struct {
 	DisableBasicMetrics    bool              `yaml:"disable_basic_metrics"`
 	DisableEnhancedMetrics bool              `yaml:"disable_enhanced_metrics"`
 	Labels                 map[string]string `yaml:"labels"` // may be empty
+	IRSAEnabled            bool              `yaml:"irsa_enabled"`
 
 	// TODO Type InstanceType `yaml:"type"` // may be empty for old pmm-managed
 }
diff --git a/sessions/sessions.go b/sessions/sessions.go
@@ -183,6 +183,21 @@ func (s *Sessions) GetSession(region, instance string) (*session.Session, *Insta
 }
 
 func buildCredentials(instance config.Instance) (*credentials.Credentials, error) {
+	// If IRSA is enabled, let the AWS SDK use the default credential provider chain,
+	// which includes the service account role credentials.
+	if instance.IRSAEnabled {
+		// Create a new session with just the region set, no credentials provided explicitly.
+		// This allows the SDK to use the credentials mounted by IRSA.
+		stsSession, err := session.NewSession(&aws.Config{
+			Region: aws.String(instance.Region),
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		return stsSession.Config.Credentials, nil
+	}
+
 	if instance.AWSRoleArn != "" {
 		stsSession, err := session.NewSession(&aws.Config{
 			Region:      aws.String(instance.Region),

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ type Instance struct {`
`26`	`26`	DisableBasicMetrics bool `yaml:"disable_basic_metrics"`
`27`	`27`	DisableEnhancedMetrics bool `yaml:"disable_enhanced_metrics"`
`28`	`28`	Labels map[string]string `yaml:"labels"` // may be empty
	`29`	+ IRSAEnabled bool `yaml:"irsa_enabled"`
`29`	`30`
`30`	`31`	// TODO Type InstanceType `yaml:"type"` // may be empty for old pmm-managed
`31`	`32`	`}`