Use kube2iam without hardcoded credentials or ec2 iam role

[Cinderhaze]

The aws-sdk-go has options for endpoint credentials for a provider ( https://github.com/aws/aws-sdk-go/blob/master/aws/credentials/endpointcreds/provider.go ). Is there any way to utilize that provider with kube2iam? I am in an environment where I would like to access the credentials for a separate AWS account from a third party url that wraps the STS:GetSessionToken api. ( http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html )

[jtblin]

As of now, this is not possible but such support could probably be added.

[yogeek]

Not sure if ti is the same subject, but when searching details on a problem we have using kube2iam with a lib based on aws go sdk (https://github.com/olivere/elastic), I found this issue.
Can you confirm that it is the same cause please ?
An do you know a solution ?

Issue created in elastic lib repo : olivere/elastic#1218

[Cinderhaze]

This may now be no longer needed, as the region that I was talking about has now been added to the default go SDK in 1.24.2 so once this is updated past that point, it should work for my usecase - though it still wouldn't work for anything not in the list.

-- edit --

I take that back, This issue was intended to allow the use of the built in provider to reference an external credential provider, but kube2iam only works with the built in iam role which gets its info from the iam role on the instance.

[yogeek]

Hello @jtblin, can you confirm my case is concerned by this enhancement please ?
And do you have any idea if it is a modification on kube2iam side or on sdk side ?