Workload Identity Federation not using AWS EKS Service Account Token Volume Projection [238911014]

Assigned

Bug

Status Update

No update yet.

Description

ma...@starlingbank.com

created issue #1

Jul 14, 2022 01:59PM

I am trying to set up Workload Identity Federation from workloads running in kubernetes pods on AWS EKS to Google Cloud Service Accounts. Testing on EC2 everything worked first time, but moving to EKS has been troublesome.

Google Cloud SDK and CLI are ignoring the presence of the AWS_WEB_IDENTITY_TOKEN_FILE environment variable, and instead going to the AWS metadata service in order to obtain an AWS STS Token. This means the obtained AWS STS token is for the AWS IAM Role of the underlying EC2 instance, rather than that of the pod where the workload is running.

Steps to prove

The principal with roles/iam.workloadIdentityUser should normally be:

principalSet://iam.googleapis.com/projects/<number>/locations/global/workloadIdentityPools/<pool>/attribute.aws_role/arn:aws:sts::<aws account>:assumed-role/<pod role>

Trying to use this from a kubernetes pod gives the error:

ERROR: (gcloud.config.set) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')`

If <pod role> is changed to be the underlying <ec2 role> of the EKS worker node then federation is successful and API calls are accepted. This is showing the CLI/SDK is using the incorrect AWS IAM Role when contacting Google for federation.

Workaround

Based on reading the documentation at https://google.aip.dev/auth/4117 there is no accommodation for using Web Identity Tokens in the auth flow. AWS sets the environment variables AWS_WEB_IDENTITY_TOKEN_FILE & AWS_ROLE_ARN on EKS pods which are configured with a kubernetes service account that reference an AWS IAM Role.

We can force the correct role to be used by triggering this condition (from the above documentation):

Check the environment variables ACCESS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and the optional AWS_SESSION_TOKEN for the AWS security credentials. If found, skip using the AWS metadata server to determine these values

With this code

eval $(aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --role-session-name test --web-identity-token $(cat $AWS_WEB_IDENTITY_TOKEN_FILE) | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=\(.SessionToken)\n"')

Now the principalSet can be updated with the correct <pod role>, and everything works.

Summary

The gcloud SDK/CLI are not using the correct credentials on AWS when running in EKS pods using service accounts linked to IAM roles.

Two more related bits of background reading:

First, documentation from AWS on IAM Roles for Service Accounts (IRSA)

Second, the AWS Java SDK documentation on Class DefaultCredentialsProvider. This shows the order of credential evaluation performed by the Java SDK and is useful to see what is happening in this case:

The bug in this case is because the gcloud SDK/CLI is falling through to case 6 (instance profile from metadata service)
The SDK/CLI should be implementing case 3 and using Web Identity Tokens
The workaround triggers case 2

Comments

de...@daangn.com <de...@daangn.com> #2Nov 7, 2022 06:32AM

Hi, thanks for giving me great workaround.
You suggested that we make temporary security credentials with using aws cli(assume-role-with-web-identity) and then impersonate gcp service account from IRSA.
But, all credentials made by aws cli(assume-role-with-web-identity) have Session Duration(Expiration time).

So, after the expiration time, we can't use the credentials anymore.
How do you deal with the credentials' duration time when you try to continously use gcp api from pod with irsa?

Thank you.

Message last modified on Nov 7, 2022 06:33AM

ta...@ujet.cx <ta...@ujet.cx> #3Mar 26, 2023 03:10PM

This is a blocker for us as well.
We would like to use WIF from EKS workloads but not really possible due to the above limitations.

For the AWS STS token expiration when using the above workaround, I think the easiest would be to asynchronously update the env variables in the background with a cron or based on the expiration field coming from the sts service.

as...@bt.com <as...@bt.com> #4May 17, 2023 09:49PM

Comment has been deleted.

Message last modified on May 24, 2023 09:42PM

as...@bt.com <as...@bt.com> #5May 24, 2023 09:43PM

Hi,
were you able to refresh the tokens periodically ? Could you help me how you did it?

ma...@google.com <ma...@google.com> May 26, 2023 02:23AM

Assigned to ma...@google.com.

ma...@google.com <ma...@google.com> #6May 26, 2023 08:27AM

Reassigned to gc...@google.com.

Hello,

Thanks for reaching out to us!

The Feature request has been created and the Product Engineering Team is working on this request. Right now, there is no ETA to this request. Thank you for your trust and continued support to improve Google Cloud Platform products.

In case you want to report a new issue, please do not hesitate to create a new Issue Tracker thread describing your issue.

Thanks & Regards,
Mahaboob

[Deleted User] <[Deleted User]> #7May 26, 2023 09:06PM

This workaround did not work for me because the command above does not expose the session expiry. Thus the application cannot use the session. I've exposed the session expiry from the token and can confirm it works.

eval $(aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --role-session-name test --web-identity-token $(cat $AWS_WEB_IDENTITY_TOKEN_FILE) | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=(.SessionToken)\nexport AWS_SESSION_EXPIRATION=(.Expiration)\n"')

as...@bt.com <as...@bt.com> #8May 26, 2023 09:11PM

But how do you refresh the token periodically ?
Can you share full example please? I tried with Cronjob and normal linux cron. Both attempt were unsucessful.

1. Cronjob runs in a new pod where I cannot access the AWS_WEB_IDENTITY_TOKEN_FILE which is present in main pod.
2. If I run a linux cron in the main pod, I still cannot access the env variables, as the cron runs in a new shell, where normal env variables are not accessible.

I could think of updating a volume inside a pod, instead of env variable. I think that would work. But could not get it to work.

as...@bt.com <as...@bt.com> #9Jun 8, 2023 09:02PM

Hi Mahboob/Google team

Any updates on the fix ?

am...@sentra.io <am...@sentra.io> #10Jun 15, 2023 08:39PM

any updates?

ma...@google.com <ma...@google.com> #11Jul 3, 2023 09:15AM

Hello,

The Product Engineering team is aware and working on this request. Currently we cannot provide any ETA. Please follow this thread for updates.

Thanks and Regards,
Mahaboob Subhani

Message last modified on Jul 5, 2023 11:11AM

ma...@google.com <ma...@google.com> Jul 4, 2023 06:28AM

Reassigned to ma...@google.com.

ma...@google.com <ma...@google.com> Jul 5, 2023 11:04AM

Reassigned to gc...@google.com.

dg...@google.com <dg...@google.com> #12Jul 20, 2023 06:27AM

any updates on this? +1 to affected, customer is blocked

Message last modified on Oct 16, 2023 04:52AM

th...@lookout.com <th...@lookout.com> #13Sep 9, 2023 08:17PM

any updates on this? +1 to affected. customer is Lookout

ja...@booking.com <ja...@booking.com> #14Sep 14, 2023 01:37PM

any updates on this? +1 to affected. customer is Booking.com

pb...@paloaltonetworks.com <pb...@paloaltonetworks.com> #15Oct 4, 2023 08:04PM

Any Update on this?

le...@google.com <le...@google.com> #16Oct 4, 2023 08:34PM

An option is to use the OIDC token in AWS_WEB_IDENTITY_TOKEN_FILE when using EKS. You need to set up a OIDC provider in your pool and use file-sourced credentials.

We are currently working on an SDK feature to make providing AWS creds to the library easier.

pb...@paloaltonetworks.com <pb...@paloaltonetworks.com> #17Oct 4, 2023 11:58PM

Any documentation reference for that will be helpful

as...@bt.com <as...@bt.com> #18Oct 5, 2023 08:23AM

@Google team,

You have pointed back to the initial workaround mentioned by OP. What progress Google is making on this?

The option you mention to use OIDC token in AWS_WEB_IDENTITY_TOKEN_FILE is the one described in the workaround in the OP's post. i.e. You run this in the pod

eval $(aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --role-session-name test --web-identity-token $(cat $AWS_WEB_IDENTITY_TOKEN_FILE) | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=(.SessionToken)\nexport AWS_SESSION_EXPIRATION=(.Expiration)\n"')

When you run this command, you will have temporary AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY exported in the pod and then the Google client sdk would recognize this , and things would work as they should using the pod role instead of worker node role.

The problem is these temporary sessions expire, so how do we rotate/refresh the session effectively.

Any idea when will be the SDK feature to make providing AWS creds to the library easier would be available, any timelines ?

le...@google.com <le...@google.com> #19Oct 9, 2023 05:49PM

I am suggesting using the OIDC token directly, skipping the assume role call. To do that you would have to set up an OIDC provider in your pool and use file-sourced credential config that points to AWS_WEB_IDENTITY_TOKEN_FILE.

le...@google.com <le...@google.com> #20Oct 9, 2023 08:14PM

Can you folks please let us know which languages you'd like supported first? Thanks in advance.

as...@bt.com <as...@bt.com> #21Oct 9, 2023 09:19PM

So, you mean point the AWS_WEB_IDENTITY_TOKEN_FILE in credential config file. would that work?

for e.g.
  ....
  "credential_source": {
    "file": "/AWS_WEB_IDENTITY_TOKEN_FILE"
  }
  ...

I guess at first Python and Java would be mostly used.

ed...@starlingbank.com <ed...@starlingbank.com> #22Oct 10, 2023 09:17AM

+1 for Java and Python for us too

ma...@starlingbank.com <ma...@starlingbank.com> #23Oct 10, 2023 09:19AM

So, you mean point the AWS_WEB_IDENTITY_TOKEN_FILE in credential config file

You can read the AWS_WEB_IDENTITY_TOKEN_FILE directly, but it is rotated very regularly so your application would. need to take that into consideration. This is what the Google SDK should be doing.

Can you folks please let us know which languages you'd like supported first?

Java for us, please.

ja...@booking.com <ja...@booking.com> #24Oct 10, 2023 09:24AM

Golang for us please :)

dg...@google.com <dg...@google.com> #25Oct 16, 2023 04:41AM

+1 for Java here - Customer still actively wanting this.

de...@daangn.com <de...@daangn.com> #26Nov 10, 2023 10:37AM

any updates?

jp...@google.com <jp...@google.com> #27Nov 20, 2023 10:36PM

Unless you're dealing with a large number of EKS clusters, it might be an option to federate your EKS cluster(s) with workload identity federation directly. We recently published a page that describes how to do this, see Configure workload identity federation with Kubernetes.

ma...@starlingbank.com <ma...@starlingbank.com> #28Nov 21, 2023 10:39AM

Is this a new feature of workload identity federation? Just trying to determine if this is a cryptic way of saying the ticket is resolved. At first glance this would remove the need for the workaround we depend on currently.

as...@bt.com <as...@bt.com> #29Nov 21, 2023 11:09AM

Thanks Google team, Essentially, we will establish trust with GCP that says: "trusts this openid connect (OIDC) token issued to a k8s service account by a given K8s API server and map it to this GCP principal:// or principalSet://.

While this would work for EKS , as the OIDC discovery endpoint is public (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html#:~:text=Amazon%20EKS%20hosts%20a%20public%20OIDC%20discovery%20endpoint%20for%20each%20cluster%20that%20contains%20the%20signing%20keys%20for%20the%20ProjectedServiceAccountToken%20JSON%20web%20tokens%20so%20external%20systems%2C%20such%20as%20IAM%2C%20can%20validate%20and%20accept%20the%20OIDC%20tokens%20that%20are%20issued%20by%20Kubernetes.)

But not for bare kubernetes on-prem which might be private by design. We will have make the OIDC metadata for your kubernetes cluster visible to GCP externally.

I say this, since the new post you have created titled "Kubernetes" in general. Either the title need to be EKS specific Or the caveat needs to be added for bare k8s scenario.

Message last modified on Nov 21, 2023 11:15AM

eu...@gmail.com <eu...@gmail.com> #30Dec 20, 2023 12:41PM

The provided new article doesn't appear to render a working setup.

When I do `Create a credential configuration file` and then try to use it in `gcloud auth login --cred-file ./credential-configuration.json` followed by `gcloud auth print-access-token` I get `'Error code invalid_request: Invalid subject_token_type for specified provider. Allowed values: urn:ietf:params:aws:token-type:aws4_request'`.

If I patch a working (working with `imdsv2` endpoint, but not working with `AWS_WEB_IDENTITY_TOKEN_FILE`) `credential-configuration.json` that cointains `urn:ietf:params:aws:token-type:aws4_request`, replacing it's `credential_source` with the `"file": "/var/run/service-account/token"`, I get `ERROR: (gcloud.auth.login) The provided external account credentials are invalid or unsupported`.

It seems that to this day the only option to authenticate from EKS to GCP is to use `imdsv2` endpoint, or to use a workaround of generating AWS credential env vars from the `AWS_WEB_IDENTITY_TOKEN_FILE` token. Am I missing anything?

Message last modified on Dec 20, 2023 12:42PM

th...@lookout.com <th...@lookout.com> #31Jan 3, 2024 03:56PM

Do we have any update or ETA?

da...@goodrx.com <da...@goodrx.com> #32Feb 6, 2024 05:05PM

Please fix this. I lost many hours of productivity following the google documentation and testing only to discover that the EKS pod identity is not processed correctly by the google oauth libs. We are seeing only the eke node's aws role and not the pod's identity. This is very poor security and extremely problematic with multitenant clusters.

Message last modified on Feb 6, 2024 06:13PM

ei...@google.com <ei...@google.com> #33May 22, 2024 04:00PM

In addition to the approach Johannes mentioned, we have also added support recently for defining custom logic to supply the 3rd party token or AWS security credentials for workload identity federation. This feature can be used to implement logic that returns the AWS security credentials from environment variables or any other method to the google credential to exchange for a GCP access token.

ch...@foresite.com <ch...@foresite.com> #34Jul 9, 2024 09:27PM

Comment has been deleted.

Message last modified on Jul 10, 2024 05:07PM

sh...@thomsonreuters.com <sh...@thomsonreuters.com> #35Jul 24, 2024 01:18PM

Dot Net implementation for us.

an...@splunk.com <an...@splunk.com> #36Oct 3, 2024 01:04PM

I have also encountered the very issue with EKS IRSA role. Even though there is a workaround now, finding out what exactly is the issue while using WIF in EKS was quite time consuming and not obvious.

The current solution using a custom provider works well and is rather easy to implement by letting AWS SDK handle the web identity credentials retrieval.

However, I believe this case is common enough that this should be automatically handled by the Google OAuth library alone - it could check for AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE variables and if they are set, send the request to AWS to assume role with web identity. It would be also great if the library would handle caching those credentials.

Issue 238911014

Description

Steps to prove

Workaround

Summary

Issue summary

Comments

de...@daangn.com <de...@daangn.com> #2Nov 7, 2022 06:32AM

ta...@ujet.cx <ta...@ujet.cx> #3Mar 26, 2023 03:10PM

as...@bt.com <as...@bt.com> #4May 17, 2023 09:49PM

as...@bt.com <as...@bt.com> #5May 24, 2023 09:43PM

ma...@google.com <ma...@google.com> May 26, 2023 02:23AM

ma...@google.com <ma...@google.com> #6May 26, 2023 08:27AM

[Deleted User] <[Deleted User]> #7May 26, 2023 09:06PM

as...@bt.com <as...@bt.com> #8May 26, 2023 09:11PM

as...@bt.com <as...@bt.com> #9Jun 8, 2023 09:02PM

am...@sentra.io <am...@sentra.io> #10Jun 15, 2023 08:39PM

ma...@google.com <ma...@google.com> #11Jul 3, 2023 09:15AM

ma...@google.com <ma...@google.com> Jul 4, 2023 06:28AM

ma...@google.com <ma...@google.com> Jul 5, 2023 11:04AM

dg...@google.com <dg...@google.com> #12Jul 20, 2023 06:27AM

th...@lookout.com <th...@lookout.com> #13Sep 9, 2023 08:17PM

ja...@booking.com <ja...@booking.com> #14Sep 14, 2023 01:37PM

pb...@paloaltonetworks.com <pb...@paloaltonetworks.com> #15Oct 4, 2023 08:04PM

le...@google.com <le...@google.com> #16Oct 4, 2023 08:34PM

pb...@paloaltonetworks.com <pb...@paloaltonetworks.com> #17Oct 4, 2023 11:58PM

as...@bt.com <as...@bt.com> #18Oct 5, 2023 08:23AM

le...@google.com <le...@google.com> #19Oct 9, 2023 05:49PM

le...@google.com <le...@google.com> #20Oct 9, 2023 08:14PM

as...@bt.com <as...@bt.com> #21Oct 9, 2023 09:19PM

ed...@starlingbank.com <ed...@starlingbank.com> #22Oct 10, 2023 09:17AM

ma...@starlingbank.com <ma...@starlingbank.com> #23Oct 10, 2023 09:19AM

ja...@booking.com <ja...@booking.com> #24Oct 10, 2023 09:24AM

dg...@google.com <dg...@google.com> #25Oct 16, 2023 04:41AM

de...@daangn.com <de...@daangn.com> #26Nov 10, 2023 10:37AM

jp...@google.com <jp...@google.com> #27Nov 20, 2023 10:36PM

ma...@starlingbank.com <ma...@starlingbank.com> #28Nov 21, 2023 10:39AM

as...@bt.com <as...@bt.com> #29Nov 21, 2023 11:09AM

eu...@gmail.com <eu...@gmail.com> #30Dec 20, 2023 12:41PM

th...@lookout.com <th...@lookout.com> #31Jan 3, 2024 03:56PM

da...@goodrx.com <da...@goodrx.com> #32Feb 6, 2024 05:05PM

ei...@google.com <ei...@google.com> #33May 22, 2024 04:00PM

ch...@foresite.com <ch...@foresite.com> #34Jul 9, 2024 09:27PM

sh...@thomsonreuters.com <sh...@thomsonreuters.com> #35Jul 24, 2024 01:18PM

an...@splunk.com <an...@splunk.com> #36Oct 3, 2024 01:04PM

Add comment

Issue metadata