Syed Shameerur Rahman created HADOOP-19535:
----------------------------------------------
Summary: S3A : Add WebIdentityTokenFileCredentialsProvider to
default S3 credential provider chain
Key: HADOOP-19535
URL: https://issues.apache.org/jira/browse/HADOOP-19535
Project: Hadoop Common
Issue Type: Improvement
Components: fs/s3
Reporter: Syed Shameerur Rahman
Assignee: Syed Shameerur Rahman
The current default s3 credential provider chain is set in the order of
{code:java}
org.apache.hadoop.fs.s3a.TemporaryAWSCredentialsProvider,org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider,software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider,org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider{code}
Refer [code ref
|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml#L1450]for
more details.
This works perfectly fine when used in AWS EC2, EMR Serverless, but not with
AWS EKS pods.
For EKS pods, It is recommended to use
{color:#1d1c1d}software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider{color}
WebIdentityTokenFileCredentialsProvider is an AWS credentials provider that
enables applications to obtain temporary AWS credentials by assuming an IAM
role using a web identity token (like OAuth or OIDC tokens). It's particularly
important in EKS as it's the underlying mechanism that makes IRSA (IAM Roles
for Service Accounts) work.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
