ec2 client credential init fix for AWS IRSA #29784
Open
+127
−10
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR modifies the initialisation of the AWS EC2 client to use the AWS configuration package. This change enables support for built-in credentials such as AWS IAM Roles for Service Accounts (IRSA). The current use of ec2.New() does not work with IRSA, and although not tested, a similar issue likely occurs with EKS Pod Identity as well.
When a pod is assigned an IRSA with the correct permissions to perform DescribeTags, it encounters an error and logs the following message:
fixes issue 29916
Motivation
We are currently running the Datadog Agent pod in AWS EKS and are aiming to clean up the instance role by eliminating unnecessary permissions attached to it. Datadog is one of many services that currently use the instance role for the ec2:DescribeTags permission, and we would like to switch to using the IRSA-assigned role.
After extensive debugging and tracing, we discovered that when the pod is assigned an IRSA token but the instance is running IMDSv2, it fails to use IRSA and always falls back to using the instance role.
Describe how to test/QA your changes
collect_ec2_tags: true
collect_ec2_tags_use_imds: true
ec2_prefer_imdsv2: true
Possible Drawbacks / Trade-offs
none
Additional Notes
none