-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
STS needs to be statically linked #45
Conversation
This is needed to support loading roles on kubernetes pod using web identity federation, if STS is not there, the aws-sdk credentials chain will ignore this method and fallback to the instance metadata role which would not be the expected role for the application code
Thanks for the PR! After #46 is merged, then this will be available in v1.0.0 to install from the nightly repository using: force install aws from core_nightly edit: note that the windows failure is being fixed upstream so that should be fixed soonish |
Thanks @samansmink This still somehow does not work with all docker images. As examples: public.ecr.aws/lambda/python:3.10 --> works etc |
Thanks for checking @osalloum! oh thats interesting. Are you using python binaries on ARM based machines? That could be a clue here. For ARM we distribute both a manylinux_2_17 and a manylinux_2_24 wheel |
I tried on arm64v8/eclipse-temurin:21 and it works! where as the amd64 variant before does not Now to try the with the wheels Next test on arm64v8/python:3.11-slim using Then i try installing both of the variants manylinux_2_17_aarch64
manylinux_2_24_aarch64 variant
and it works Before each test i would delete any duckdb related files
Is there anything which i can do to get the manylinux_2_17_aarch64 test working? |
Another good way to know if the credentials works properly on amd64: is using Fargate(serverless compute engine) on EKS because Fargate does not have any real NodeGroup behind it, just a virtual node from AWS which does not have a node role When the code is not able to load credentials using STS (ie AWS_WEB_IDENTITY_TOKEN_FILE) then it would be give empty results, interestingly enough Unfortunately EKS only supports Fargate for amd64 and not for arm64, so i can't do that test |
I got this error when running
|
@tinolyuu there may not be a nightly build for the version you are on |
This is needed to support loading roles on kubernetes pod using web identity federation, if STS is not there, the aws-sdk credentials chain will ignore this method and fallback to the instance metadata role which would not be the expected role for the application code
#31