[Egress providers - S3 store] Add support for service accounts when running dotnet monitor in kubernetes (#6626)

jwreford99 · jander-msft · web-flow · commit d9fda60760b9 · 2024-05-16T10:07:36.000-07:00
* Reference AWSSDK.SecurityToken in the S3 Storage project so that authentication via Open ID connect is possible
It is enough for the project to be referenced for this to work, and there is no reference to it in the code base, because it's existence allows the AWS SDK to work

* Documentation: add docs to cover the use of service accounts for S3

* Update documentation in line with spell checker

Spell checker flagged that Kubernetes should have an uppercase K and to use the American spelling of utilize

Co-authored-by: Justin Anderson &lt;jander-msft@users.noreply.github.com&gt;

* PR Feedback: Add AWSSDK.SecurityToken.dll to the Signing.props file

---------

Co-authored-by: Justin Anderson &lt;jander-msft@users.noreply.github.com&gt;
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -1,6 +1,7 @@
 <Project>
   <ItemGroup>
     <PackageVersion Include="AWSSDK.S3" Version="$(AwsSdkS3Version)" />
+    <PackageVersion Include="AWSSDK.SecurityToken" Version="$(AwsSdkSecurityTokenVersion)" />
     <PackageVersion Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
     <PackageVersion Include="Azure.Storage.Blobs" Version="$(AzureStorageBlobsVersion)" />
     <PackageVersion Include="Azure.Storage.Queues" Version="$(AzureStorageQueuesVersion)" />
diff --git a/documentation/configuration/egress-configuration.md b/documentation/configuration/egress-configuration.md
@@ -198,6 +198,14 @@ The Queue Message's payload will be the blob name (`<BlobPrefix>/<ArtifactName>`
  ```
 </details>
 
+### Authenticating to S3 using service accounts
+If running workloads in Kubernetes it is common to authenticate with AWS via Kubernetes service accounts ([AWS Documentation](https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html)). This is supported in dotnet monitor if none of: `accessKeyId`, `secretAccessKey`, `awsProfileName` are specified. In this case dotnet monitor will fallback to load credentials to login using AWS default defined environment variables, this means that workloads running in EKS can utilize service accounts as discussed in the above AWS documentation.
+
+Specifically the use of service accounts set the following environment variables which are detected by AWS SDK and used for authentication as a fallback:
+ - AWS_REGION
+ - AWS_ROLE_ARN
+ - AWS_WEB_IDENTITY_TOKEN_FILE
+
 ## Filesystem egress provider
 
 | Name | Type | Description |
diff --git a/eng/Signing.props b/eng/Signing.props
@@ -2,6 +2,7 @@
   <ItemGroup>
     <FileSignInfo Include="AWSSDK.Core.dll" CertificateName="3PartySHA2" />
     <FileSignInfo Include="AWSSDK.S3.dll" CertificateName="3PartySHA2" />
+    <FileSignInfo Include="AWSSDK.SecurityToken.dll" CertificateName="3PartySHA2" />
     <FileSignInfo Include="Newtonsoft.Json.dll" CertificateName="3PartySHA2" />
     <FileSignInfo Include="Newtonsoft.Json.Bson.dll" CertificateName="3PartySHA2" />
     <FileSignInfo Include="Swashbuckle.AspNetCore.Swagger.dll" CertificateName="3PartySHA2" />
diff --git a/eng/dependabot/independent/Packages.props b/eng/dependabot/independent/Packages.props
@@ -19,5 +19,6 @@
     <PackageReference Include="Swashbuckle.AspNetCore" Version="$(SwashbuckleAspNetCoreVersion)" />
     <PackageReference Include="Moq" Version="$(MoqVersion)" />
     <PackageReference Include="AWSSDK.S3" Version="$(AwsSdkS3Version)" />
+    <PackageReference Include="AWSSDK.SecurityToken" Version="$(AwsSdkSecurityTokenVersion)" />
   </ItemGroup>
 </Project>
diff --git a/eng/dependabot/independent/Versions.props b/eng/dependabot/independent/Versions.props
@@ -15,6 +15,7 @@
     <NJsonSchemaVersion>11.0.0</NJsonSchemaVersion>
     <SwashbuckleAspNetCoreVersion>6.5.0</SwashbuckleAspNetCoreVersion>
     <AwsSdkS3Version>3.7.305.7</AwsSdkS3Version>
+    <AwsSdkSecurityTokenVersion>3.7.300.33</AwsSdkSecurityTokenVersion>
 
     <!--
       Moq version & constants derived from Moq.
diff --git a/src/Extensions/S3Storage/S3Storage.csproj b/src/Extensions/S3Storage/S3Storage.csproj
@@ -11,12 +11,13 @@
 
   <ItemGroup>
     <PackageReference Include="AWSSDK.S3" />
+    <PackageReference Include="AWSSDK.SecurityToken" />
   </ItemGroup>
 
   <ItemGroup>
     <ProjectReference Include="..\..\Microsoft.Diagnostics.Monitoring.Extension.Common\Microsoft.Diagnostics.Monitoring.Extension.Common.csproj" />
   </ItemGroup>
-  
+
   <ItemGroup>
     <Compile Update="OptionsDisplayStrings.Designer.cs">
       <DependentUpon>OptionsDisplayStrings.resx</DependentUpon>
