feat(artifacts): support ephemeral credentials for S3. Fixes #5446 #12467
Conversation
hittingray
requested review from
terrytangyuan and
sarabala1979
as code owners
hittingray
force-pushed
the
feat-s3-session-tokens
branch
from
e31780d
to
ea24e90
Compare
hittingray
force-pushed
the
feat-s3-session-tokens
branch
2 times, most recently
from
4bfb0a0
to
d7ff9ed
Compare
This comment was marked as spam.
This comment was marked as spam.
|
@keymon Still waiting on the argo/pkg PR which you already commented on. There's no point me making the changes requested until that one has been merged in 😞 |
hittingray
force-pushed
the
feat-s3-session-tokens
branch
from
04607ef
to
6f29ca4
Compare
|
@isubasinghe I've updated the PR, would appreciate a review when you have time, thank you! |
|
@isubasinghe Sorry to ping again, but would be good if you could review the changes here. The PR has been sitting around for ages and I'd like to avoid having to address merge conflicts in the code gen again. |
|
Yes, please, add support for this as it blocks some local development and unit testing argoproj/pkg#596 has been merged and this is ready to merge! |
agilgur5
changed the title
|
@hittingray will re-review this tomorrow. |
hittingray
force-pushed
the
feat-s3-session-tokens
branch
2 times, most recently
from
88cd6e0
to
7915c55
Compare
|
@isubasinghe I've rebased it on latest Edit: Seems like just pushing another commit to trigger it fixed it, so flakey test it is. |
hittingray
force-pushed
the
feat-s3-session-tokens
branch
from
7915c55
to
d74ed05
Compare
|
@hittingray Don't stress about the windows tests, they are broken and are not required for merging. |
|
@isubasinghe No worries then. It's ready for your review otherwise then :) |
|
@agilgur5 can you review the documentation for me, you are a bit more knowledgeable there about conventions. |
hittingray
force-pushed
the
feat-s3-session-tokens
branch
from
d74ed05
to
a26f3ba
Compare
agilgur5
changed the title
There was a problem hiding this comment.
Docs review in-line below as requested.
Note that this page has yet to be fully re-written to match the style guide, so some of the style you copied from here is actually non-conformant. A more recent example to copy from is #13376
Thanks for the docs review! |
hittingray
force-pushed
the
feat-s3-session-tokens
branch
5 times, most recently
from
7568479
to
1592fa3
Compare
agilgur5
changed the title
|
@hittingray could you please make the suggested changes? |
hittingray
force-pushed
the
feat-s3-session-tokens
branch
3 times, most recently
from
192d770
to
6a83625
Compare
|
|
||
| !!! Note "Temporary" | ||
| IAM role credentials are temporary, so you must refresh them periodically via an external mechanism. | ||
| Argo will not refresh them for you. |
There was a problem hiding this comment.
| Argo will not refresh them for you. |
I had suggested removing this before as it is redundant with the above sentence.
We can leave it in if you feel strongly about it, but you hadn't commented there, so not sure if leaving this in intentional
There was a problem hiding this comment.
I'm ok to remove it. Just wanted to make it clear, but I guess the first sentence is already pretty clear.
There was a problem hiding this comment.
Yea "external mechanism" == "not Argo". The most explicit way would be to recommend some tooling, but I actually don't know of any that do this out of the box
There was a problem hiding this comment.
Yeh, I don't know off the top of my head. For the access grants, we wrote our own admission controller which retrieves the credentials and injects them at workflow creation time, but it's not open source (for now).
hittingray
force-pushed
the
feat-s3-session-tokens
branch
from
6a83625
to
8d6efa7
Compare
|
@agilgur5 Thanks for the reviews and sorry for all the back-and-forth! Fixed up again with your suggestions. |
…ixes argoproj#5446 (argoproj#5446) Signed-off-by: Raymond Chow <rchow@atlassian.com>
hittingray
force-pushed
the
feat-s3-session-tokens
branch
from
8d6efa7
to
bb00922
Compare
|
No worries, iteration is progress and progress is good! |
There was a problem hiding this comment.
Docs LGTM ✅
Thanks @hittingray for your dedication to getting this PR in over a long time period and pushing through all the iteration and upstream changes! ❤️
@isubasinghe you didn't approve this before, so this is now blocked on your previous change request
|
I did a partial backport/cherry-pick of the docs changes to existing features here to |
Fixes #5446
Motivation
We would like to use the new S3 access grants feature, which uses only temporary credentials. The aforementioned issue addresses temporary credentials in general (prior to recently though, this would have only been for IAM role).
Modifications
Firstly, some changes needed to be made in the Argo common
pkgrepo: argoproj/pkg#596I am still waiting for these changes to be reviewed and therefore still have the forked dependency in my
go.mod. This is quite a small set of changes, as support for temporary credentials was already added to the AWS client in general previously.Inside the Argo Workflows repo, I have made changes to how the S3 artifact driver is initialised, which mainly includes looking for the session token and using it if applicable. There is also a change on the workflow pod side to fetch the relevant secret if applicable.
Verification
I have written a couple unit tests to verify the driver and workflow creation behaviour. There was no test for creation of the driver, so I took the liberty of writing a small test to ensure the behaviour of specifically the changes I made. For the changes in
s3.go, thes3clientstruct is not exported fromargoproj/pkg, so it made testing the changes I made impossible. I feel the changes made in this file are fairly small anyway.I have also tested the changes by attempting to write into a S3 bucket in a workflow, using both IAM role and S3 access grant credentials. The behaviour is as expected; and when the credentials are invalid, or expired, an appropriate error message is returned.