[IMPROVEMENT] Document EKS OIDC Role usage for S3 Backups #8586
Assignees
Labels
area/volume-backup-restore
Volume backup restore
kind/improvement
Request for improvement of existing function
require/backport
Require backport. Only used when the specific versions to backport have not been definied.
require/doc
Require updating the longhorn.io documentation
require/manual-test-plan
Require adding/updating manual test cases if they can't be automated
Comments
apetre070
added
kind/improvement
|
cc @mantissahz |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Longhorn documentation refers to third party IAM role integration in order to authenticate with S3. EKS now has first party support for IAM role integrations via OIDC. In addition, one of the referenced third-party applications (kiam) has been archived as a result of the first party integration.
Describe the solution you'd like
Longhorn documentation and potentially application functionality should be updated to direct users who wish to backup to S3 via an IAM role integration to do so via the first-party OIDC attachment via Kubernetes Service Account.
See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
Describe alternatives you've considered
We would strongly prefer to avoid using IAM users to authenticate to S3 for the purposes of backing up volumes.
For the time being I have configured the backups by permitting the longhorn node roles access to the bucket via bucket policy.
Please let me know if there is any more context required for this particular request.
The text was updated successfully, but these errors were encountered: