jclarysse opened a new pull request #4070: URL: https://github.com/apache/hadoop/pull/4070
### Description of PR The PR addresses a requirement to comply with AWS security concept [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) (IRSA) while operating a service that isn't based on Apache Spark and that runs inside Amazon Elastic Kubernetes Service (EKS). The code change consists in adding a new credentials provider class `org.apache.hadoop.fs.s3a.OIDCTokenCredentialsProvider` to the module [hadoop-aws](https://hadoop.apache.org/docs/current/hadoop-aws/tools/hadoop-aws/index.html). ### How was this patch tested? No new unit-test or integration-test was created on-purpose. The patch was "only" tested based on [Hadoop release 2.10.1](https://github.com/apache/hadoop/tree/rel/release-2.10.1), as part of our specific use-case based on [Delta sharing service](https://github.com/delta-io/delta-sharing) v0.4.0 along with the following Hadoop configuration (core-site.xml): ``` <?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> <configuration> <property> <name>fs.s3a.aws.credentials.provider</name> <value>org.apache.hadoop.fs.s3a.OIDCTokenCredentialsProvider</value> </property> <property> <name>fs.s3a.jwt.path</name> <value>/var/run/secrets/eks.amazonaws.com/serviceaccount/token</value> </property> <property> <name>fs.s3a.role.arn</name> <value>my_iam_role_arn</value> </property> <property> <name>fs.s3a.session.name</name> <value>my_iam_session_name</value> </property> <property> <name>fs.s3a.server-side-encryption-algorithm</name> <value>SSE-KMS</value> </property> <property> <name>fs.s3a.server-side-encryption.key</name> <value>my_kms_key_id</value> </property> </configuration> ``` ### For code changes: - [X] The title or this PR starts with the corresponding JIRA issue 'HADOOP-18154' - [ ] Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation? - [X] No new dependency was added to the code. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
