You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@beam.apache.org by "mokamoka03210120 (via GitHub)" <gi...@apache.org> on 2023/04/04 08:55:28 UTC
[GitHub] [beam] mokamoka03210120 opened a new issue, #26097: [Feature Request]: Support Assume-Role by web identity
mokamoka03210120 opened a new issue, #26097:
URL: https://github.com/apache/beam/issues/26097
### What would you like to happen?
I would like to use Assume-Role by web identity, but AwsOptions does not support it.
To do that, AwsOptions must be able to handle `StsAssembleRoleWithWebIdentityCredentialsProvider`.
* https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role-with-web-identity.html
* https://github.com/apache/beam/blob/master/sdks/java/io/amazon-web-services2/src/main/java/org/apache/beam/sdk/io/aws2/options/AwsOptions.java#L75-L144
### Issue Priority
Priority: 3 (nice-to-have improvement)
### Issue Components
- [ ] Component: Python SDK
- [X] Component: Java SDK
- [ ] Component: Go SDK
- [ ] Component: Typescript SDK
- [ ] Component: IO connector
- [ ] Component: Beam examples
- [ ] Component: Beam playground
- [ ] Component: Beam katas
- [ ] Component: Website
- [ ] Component: Spark Runner
- [ ] Component: Flink Runner
- [ ] Component: Samza Runner
- [ ] Component: Twister2 Runner
- [ ] Component: Hazelcast Jet Runner
- [ ] Component: Google Cloud Dataflow Runner
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] mosche commented on issue #26097: [Feature Request]: Support Assume-Role with web identity
Posted by "mosche (via GitHub)" <gi...@apache.org>.
mosche commented on issue #26097:
URL: https://github.com/apache/beam/issues/26097#issuecomment-1503389730
@mokamoka03210120 Thanks for this issue and your PR!
Before going to review, could you elaborate briefly on your use case to give a bit of context here. Thanks so much.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] mosche closed issue #26097: [Feature Request]: Support Assume-Role with web identity
Posted by "mosche (via GitHub)" <gi...@apache.org>.
mosche closed issue #26097: [Feature Request]: Support Assume-Role with web identity
URL: https://github.com/apache/beam/issues/26097
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] mokamoka03210120 commented on issue #26097: [Feature Request]: Support Assume-Role with web identity
Posted by "mokamoka03210120 (via GitHub)" <gi...@apache.org>.
mokamoka03210120 commented on issue #26097:
URL: https://github.com/apache/beam/issues/26097#issuecomment-1506851378
@mosche
Thank you for the comment.
I am building a batch pipeline on Cloud Dataflow which have to get files on AWS S3 bucket. It can access to the bucket with access key and secret by current SDK, but in that case, I have to rotate the credentials for security and it is a hassle. So, I am considering using assume-role by id token of GCP service account to get temporary credentials when needed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] mokamoka03210120 commented on issue #26097: [Feature Request]: Support Assume-Role with web identity
Posted by "mokamoka03210120 (via GitHub)" <gi...@apache.org>.
mokamoka03210120 commented on issue #26097:
URL: https://github.com/apache/beam/issues/26097#issuecomment-1506918756
Thanks. I was just commenting to PR about that.
https://github.com/apache/beam/pull/26098#discussion_r1165462611
I think that the credentials for STS does not have to be valid when assume-role by id token. However, the way I suggested is rough.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] mokamoka03210120 commented on issue #26097: [Feature Request]: Support Assume-Role by web identity
Posted by "mokamoka03210120 (via GitHub)" <gi...@apache.org>.
mokamoka03210120 commented on issue #26097:
URL: https://github.com/apache/beam/issues/26097#issuecomment-1495597487
.take-issue
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] mosche commented on issue #26097: [Feature Request]: Support Assume-Role with web identity
Posted by "mosche (via GitHub)" <gi...@apache.org>.
mosche commented on issue #26097:
URL: https://github.com/apache/beam/issues/26097#issuecomment-1506869057
Thanks 👍
Note, this approach is currently somehow limited. Currently there's no way to configure the STS client itself. It will depend on the default credentials provider chain. See https://github.com/apache/beam/issues/21296
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org