You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Rafi Aroch (Jira)" <ji...@apache.org> on 2020/02/12 16:43:00 UTC
[jira] [Comment Edited] (FLINK-14881) Upgrade AWS SDK to support
"IAM Roles for Service Accounts" in AWS EKS
[ https://issues.apache.org/jira/browse/FLINK-14881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17035501#comment-17035501 ]
Rafi Aroch edited comment on FLINK-14881 at 2/12/20 4:42 PM:
-------------------------------------------------------------
IAM Roles for Service Accounts have many advantages when deploying Flink on AWS EKS.
From AWS documentation:
{quote}_With IAM roles for service accounts on Amazon EKS clusters, you can associate an IAM role with a Kubernetes service account. This service account can then provide AWS permissions to the containers in any pod that uses that service account. With this feature, you no longer need to provide extended permissions to the worker node IAM role so that pods on that node can call AWS APIs._
{quote}
As Kubernetes becomes the popular deployment method, I believe we should support this capability.
In order for IAM Roles for Service Accounts to work, I see two necessary changes:
* Bump the AWS SDK version to at least: 1.11.623.
* Add dependency to AWS STS in order for the assume-role to work.
This is relevant for S3 Filesystem & Kinesis modules.
I tested this change successfully on EKS with S3 filesystem.
Can I proceed with a PR?
was (Author: aroch):
IAM Roles for Service Accounts have many advantages when deploying Flink on AWS EKS.
From AWS documentation:
{quote}_With IAM roles for service accounts on Amazon EKS clusters, you can associate an IAM role with a Kubernetes service account. This service account can then provide AWS permissions to the containers in any pod that uses that service account. With this feature, you no longer need to provide extended permissions to the worker node IAM role so that pods on that node can call AWS APIs._{quote}
As Kubernetes becomes the popular deployment method, I believe we should support this capability.
In order for IAM Roles for Service Accounts to work, I see two necessary changes:
* Bump the AWS SDK version to at least: 1.11.623.
* Add dependency to AWS STS in order for the assume-role to work.
This is relevant for S3 Filesystem & Kinesis modules.
I tested this change successfully on EKS with S3 filesystem.
Can I proceed with a PR?
> Upgrade AWS SDK to support "IAM Roles for Service Accounts" in AWS EKS
> ----------------------------------------------------------------------
>
> Key: FLINK-14881
> URL: https://issues.apache.org/jira/browse/FLINK-14881
> Project: Flink
> Issue Type: Improvement
> Components: FileSystems
> Reporter: Vincent Chenal
> Priority: Major
>
> In order to use IAM Roles for Service Accounts in AWS EKS, the minimum required version of the AWS SDK is 1.11.623.
> [https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)