Skip to content

aws: add support for EKS Pod Identity #9696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 9 commits into from
Closed

aws: add support for EKS Pod Identity #9696

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2ff35bd
utils: add flb_utils_url_split_sds
PettitWesley May 17, 2024
1159929
aws: http_credentials: support EKS Pod Identity
PettitWesley May 17, 2024
fa7f66e
tests: internal: aws: EKS Pod identity tests
PettitWesley May 17, 2024
d7a7668
aws: fix leaks on new EKS Pod identities
edsiper Aug 27, 2024
f0e6f2b
utils: validate sds port
edsiper Aug 27, 2024
ec2209c
tests: internal: aws_credentials_http: fix leaks
edsiper Aug 27, 2024
a148473
Merge remote-tracking branch 'upstream/master' into upstream-pod-iden…
zhihonl Dec 6, 2024
5f94486
Rename credential constant and clean up unit test
zhihonl Feb 28, 2025
7cd2903
Merge remote-tracking branch 'upstream/master' into eks-pod-identity
zhihonl Feb 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 31 additions & 8 deletions include/fluent-bit/flb_aws_credentials.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,19 +256,21 @@ struct flb_aws_provider *flb_aws_env_provider_create();
* Calling flb_aws_provider_destroy on this provider frees the memory
* used by host and path.
*/
struct flb_aws_provider *flb_http_provider_create(struct flb_config *config,
flb_sds_t host,
flb_sds_t path,
struct
flb_aws_client_generator
*generator);
struct flb_aws_provider *flb_endpoint_provider_create(struct flb_config *config,
flb_sds_t host,
flb_sds_t path,
int port,
int insecure,
struct
flb_aws_client_generator
*generator);

/*
* ECS Provider
* HTTP Provider for EKS and ECS
* The ECS Provider is just a wrapper around the HTTP Provider
* with the ECS credentials endpoint.
*/
struct flb_aws_provider *flb_ecs_provider_create(struct flb_config *config,
struct flb_aws_provider *flb_http_provider_create(struct flb_config *config,
struct
flb_aws_client_generator
*generator);
Expand Down Expand Up @@ -350,5 +352,26 @@ int try_lock_provider(struct flb_aws_provider *provider);
void unlock_provider(struct flb_aws_provider *provider);


/*
* HTTP Credentials Provider - retrieve credentials from a local http server
* Used to implement the ECS Credentials provider.
* Equivalent to:
* https://github.com/aws/aws-sdk-go/tree/master/aws/credentials/endpointcreds
*/

struct flb_aws_provider_http {
struct flb_aws_credentials *creds;
time_t next_refresh;

struct flb_aws_client *client;

/* Host and Path to request credentials */
flb_sds_t host;
flb_sds_t path;

flb_sds_t auth_token; /* optional */
};


#endif
#endif /* FLB_HAVE_AWS */
22 changes: 20 additions & 2 deletions include/fluent-bit/flb_aws_util.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,17 @@ struct flb_aws_client {
int debug_only;
};

/* frees dynamic_headers */
struct flb_http_client *flb_aws_client_request_basic_auth(
struct flb_aws_client *aws_client,
int method, const char *uri,
const char *body, size_t body_len,
struct flb_aws_header
*dynamic_headers,
size_t dynamic_headers_len,
char *header_name,
char* auth_token);

/*
* Frees the aws_client, the internal flb_http_client, error_code,
* and flb_upstream.
Expand Down Expand Up @@ -144,13 +155,20 @@ flb_sds_t flb_aws_xml_error(char *response, size_t response_len);
flb_sds_t flb_aws_error(char *response, size_t response_len);

/*
* Similar to 'flb_aws_error', except it prints the JSON error type and message
* to the user in a error log.
* Similar to 'flb_aws_error', except it prints the JSON error __type and message
* field values to the user in a error log.
* 'api' is the name of the API that was called; this is used in the error log.
*/
void flb_aws_print_error(char *response, size_t response_len,
char *api, struct flb_output_instance *ins);

/*
* Error parsing for json APIs that respond with a
* Code and Message fields for error responses.
*/
void flb_aws_print_error_code(char *response, size_t response_len,
char *api);

/* Similar to 'flb_aws_print_error', but for APIs that return XML */
void flb_aws_print_xml_error(char *response, size_t response_len,
char *api, struct flb_output_instance *ins);
Expand Down
2 changes: 2 additions & 0 deletions include/fluent-bit/flb_utils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,5 +75,7 @@ void flb_utils_set_plugin_string_property(const char *name,
flb_sds_t *field_storage,
flb_sds_t new_value);
int flb_utils_mkdir(const char *dir, int perms);
int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
flb_sds_t *out_host, flb_sds_t *out_port, flb_sds_t *out_uri);

#endif
2 changes: 1 addition & 1 deletion src/aws/flb_aws_credentials.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -581,7 +581,7 @@ static struct flb_aws_provider *standard_chain_create(struct flb_config
}
}

sub_provider = flb_ecs_provider_create(config, generator);
sub_provider = flb_http_provider_create(config, generator);
if (sub_provider) {
/* ECS Provider will fail creation if we are not running in ECS */
mk_list_add(&sub_provider->_head, &implementation->sub_providers);
Expand Down
Loading