Feat: Enable automatic AWS credential discovery via provider chain#2120
Feat: Enable automatic AWS credential discovery via provider chain#2120mdgreenwald wants to merge 2 commits intosequinstream:mainfrom
Conversation
Add support for AWS credential provider chain across all AWS integrations, eliminating the need for long-lived IAM access keys in production environments. Changes: - Enable aws_credentials library at runtime (remove runtime: false) - Remove self-hosted mode restriction for task role credentials - Add task role support to Kafka sinks with AWS MSK IAM authentication - Add task role support to HttpPushSqsPipeline (BroadwaySQS) - Update all AWS sink validations to support use_task_role flag This enables automatic credential discovery from: - Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) - AWS credentials file (~/.aws/credentials) - IRSA/EKS Pod Identity (web identity tokens) - ECS task credentials - EC2 instance metadata Benefits: - Eliminates security risk of long-lived IAM keys - Supports modern Kubernetes auth patterns (IRSA, Pod Identity) - Automatic credential rotation for temporary credentials - Follows AWS security best practices - Fully backward compatible (use_task_role defaults to false) Affected services: SQS, SNS, Kinesis, Kafka (MSK IAM), HttpPushSQS Signed-off-by: Matthew Greenwald <mdgreenwald@gmail.com>
Signed-off-by: Matthew Greenwald <mdgreenwald@gmail.com>
|
Claude has this to say about how to idiomatically solve this problem:
Store the resulting This is the most idiomatic Elixir approach. You stay entirely within the BEAM, leverage OTP supervision for credential refresh resilience, and avoid any external sidecar dependencies. The linked Medium article by Sachin Joshi covers this pattern precisely. |
Add support for AWS credential provider chain across all AWS integrations,
eliminating the need for long-lived IAM access keys in production environments.
Changes:
This enables automatic credential discovery from:
Benefits:
Affected services: SQS, SNS, Kinesis, Kafka (MSK IAM), HttpPushSQS