Restic: Support IAM for Service Accounts in AWS
Output of restic version
restic 0.9.6 compiled with go1.13.4 on linux/amd64
What should restic do differently? Which functionality do you think we should add?
Restic should support assuming role via WebIdentityTokenFile, which was added to minio (https://github.com/minio/minio-go/pull/1183). Doing so restic would be able to use a service account that is using AWS's eks.amazonaws.com/role-arn annotation to attach a role to it. This would be a big benefit since there wouldn't be a need for user credentials that have to be rolled regularly.
What are you trying to do?
I'd like to create backups of PVs in AWS that are stored in S3 bucket, without having an additional IAM user that I've to maintain.
Did restic help you today? Did it make you happy in any way?
The backup with restic it self works great, but having the additional user creates a lot overhead for us.
christian-vent
All 3 comments
Those changes for ROLE instead of 'secrets' are awaiting Stash and Velero:
AWS/EKS: Use AWS_ROLE_ARN with the token from AWS_WEB_IDENTITY_TOKEN_FILE for accessing Repository (S3)
https://github.com/stashed/stash/issues/1101
roman-judin-dragon
on 12 May 2020
In order to support the API changes it appears restic needs to be built with minio-go 6.0.45 or later, which includes https://github.com/minio/minio-go/pull/1183
https://github.com/minio/minio-go/releases/tag/v6.0.45
https://github.com/minio/minio-go/pull/1183
whereisaaron
on 13 May 2020
I have raised PR #2733 for this. It actually needs minio-go 6.0.53 as this contains and additional fix PR-1263 to correct the STS URL to https
ac-hibbert
on 13 May 2020
Related issues
fd0
·
4Comments
McKael
·
4Comments
ikarlo
·
4Comments
axllent
·
4Comments
TheLastProject
·
3Comments
Most helpful comment
I have raised PR #2733 for this. It actually needs minio-go 6.0.53 as this contains and additional fix PR-1263 to correct the STS URL to https