AWS Web Identity / IRSA Support (#10541)

* AWS Web Identity Support required for AWS IRSA * Update kinesis-ingestion.md * disabling coverage tests https://github.com/apache/druid/pull/10541#issuecomment-737558213 * exclude coverage * Update licenses.yaml
2025-02-22 18:30:13 +00:00 · 2021-01-25 18:44:02 +05:30 · 2021-01-25 18:44:02 +05:30 · 1c1b396eaa
commit 1c1b396eaa
parent 8c227bc566
5 changed files with 20 additions and 5 deletions
--- a/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSCredentialsUtils.java
+++ b/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSCredentialsUtils.java
@ -24,6 +24,7 @@ import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
 import com.amazonaws.auth.EnvironmentVariableCredentialsProvider;
 import com.amazonaws.auth.InstanceProfileCredentialsProvider;
 import com.amazonaws.auth.SystemPropertiesCredentialsProvider;
+import com.amazonaws.auth.WebIdentityTokenCredentialsProvider;
 import com.amazonaws.auth.profile.ProfileCredentialsProvider;

 public class AWSCredentialsUtils
@ -35,6 +36,7 @@ public class AWSCredentialsUtils
        new LazyFileSessionCredentialsProvider(config),
        new EnvironmentVariableCredentialsProvider(),
        new SystemPropertiesCredentialsProvider(),
+        WebIdentityTokenCredentialsProvider.create(),        
        new ProfileCredentialsProvider(),
        new EC2ContainerCredentialsProviderWrapper(),
        InstanceProfileCredentialsProvider.getInstance());
--- a/docs/development/extensions-core/kinesis-ingestion.md
+++ b/docs/development/extensions-core/kinesis-ingestion.md
@ -236,7 +236,7 @@ To authenticate with AWS, you must provide your AWS access key and AWS secret ke
 -Ddruid.kinesis.accessKey=123 -Ddruid.kinesis.secretKey=456
 ```
 The AWS access key ID and secret access key are used for Kinesis API requests. If this is not provided, the service will
-look for credentials set in environment variables, in the default profile configuration file, and from the EC2 instance
+look for credentials set in environment variables, via [Web Identity Token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html), in the default profile configuration file, and from the EC2 instance
 profile provider (in this order).

 ### Getting Supervisor Status Report
--- a/extensions-core/s3-extensions/pom.xml
+++ b/extensions-core/s3-extensions/pom.xml
@ -112,6 +112,11 @@
      <artifactId>aws-java-sdk-s3</artifactId>
      <scope>provided</scope>
    </dependency>
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>aws-java-sdk-sts</artifactId>
+      <scope>provided</scope>
+    </dependency>    
    <!-- Tests -->
    <dependency>
      <groupId>org.apache.druid</groupId>
--- a/licenses.yaml
+++ b/licenses.yaml
@ -151,7 +151,7 @@ name: AWS RDS SDK for Java
 license_category: source
 module: extensions/druid-aws-rds-extensions
 license_name: Apache License version 2.0
-version: 1.11.199
+version: 1.11.884
 libraries:
  - com.amazonaws: aws-java-sdk-rds

@ -3583,10 +3583,11 @@ name: AWS SDK for Java
 license_category: binary
 module: extensions/druid-kinesis-indexing-service
 license_name: Apache License version 2.0
-version: 1.11.199
+version: 1.11.884
 libraries:
  - com.amazonaws: aws-java-sdk-kinesis
  - com.amazonaws: aws-java-sdk-sts
+  - com.amazonaws: jmespath-java  

 ---

--- a/pom.xml
+++ b/pom.xml
@ -110,7 +110,7 @@
        <hadoop.compile.version>2.8.5</hadoop.compile.version>
        <mockito.version>3.2.4</mockito.version>
        <powermock.version>2.0.2</powermock.version>
-        <aws.sdk.version>1.11.199</aws.sdk.version>
+        <aws.sdk.version>1.11.884</aws.sdk.version>
        <caffeine.version>2.8.0</caffeine.version>
        <jacoco.version>0.8.5</jacoco.version>
        <!-- Curator requires 3.4.x ZooKeeper clients to maintain compatibility with 3.4.x ZooKeeper servers,
@ -264,6 +264,11 @@
                <artifactId>aws-java-sdk-s3</artifactId>
                <version>${aws.sdk.version}</version>
            </dependency>
+            <dependency>
+                <groupId>com.amazonaws</groupId>
+                <artifactId>aws-java-sdk-sts</artifactId>
+                <version>${aws.sdk.version}</version>
+            </dependency>            
            <dependency>
                <groupId>com.ning</groupId>
                <artifactId>compress-lzf</artifactId>
@ -1293,7 +1298,9 @@

                        <!-- Exceptions -->
                        <exclude>org/apache/druid/query/TruncatedResponseContextException.class</exclude>
-                    </excludes>
+
+                        <exclude>org/apache/druid/common/aws/AWSCredentials*</exclude>                      
+                  </excludes>
                </configuration>
                <executions>
                    <execution>