Enable WebIdentityTokenCredentialsProvider authentication (#98)

* Upgrade EMR repository version to support OIDC web identity token * Upgrade to EMR 5.30.2 * Enable WebIdentityTokenCredentialsProvider authentication
ExpediaGroup · Mar 28, 2022 · 092717f · 092717f
1 parent fec085c
commit 092717f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [3.0.1] - 2022-03-28
+### Changed
+- Enable authentication via `WebIdentityTokenCredentialsProvider`.
+
 ## [3.0.0] - 2022-03-25
 ### Changed
 - Upgrade EMR repository to version `5.30.2` (was `5.24.0`) so `AWS SDK for Java` library is upgraded to `1.11.759` and in that way support authentication using IAM role via an OIDC web identity token file (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html).

diff --git a/files/startup.sh b/files/startup.sh
@@ -163,6 +163,11 @@ if [ ! -z ${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} ]; then
     update_property.py fs.s3a.aws.credentials.provider com.amazonaws.auth.ContainerCredentialsProvider /etc/hadoop/conf/core-site.xml
 fi
 
+#configure WebIdentityTokenCredentialsProvider when running with IRSA/OIDC
+if [ ! -z ${AWS_WEB_IDENTITY_TOKEN_FILE} ]; then
+    update_property.py fs.s3a.aws.credentials.provider com.amazonaws.auth.WebIdentityTokenCredentialsProvider /etc/hadoop/conf/core-site.xml
+fi
+
 #auto configure heapsize
 if [ ! -z ${ECS_CONTAINER_METADATA_URI} ]; then
     export MEM_LIMIT=$(wget -q -O - ${ECS_CONTAINER_METADATA_URI}/task|jq -r .Limits.Memory)