Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Feature :: Harbor to "Assume Role" to connect AWS S3 Storage #18699

Closed
Tejuvmware opened this issue May 17, 2023 · 4 comments
Closed

Add Feature :: Harbor to "Assume Role" to connect AWS S3 Storage #18699

Tejuvmware opened this issue May 17, 2023 · 4 comments

Comments

@Tejuvmware
Copy link

Tejuvmware commented May 17, 2023
edited

Hello Team,

Given that the AWS SDK supports assuming a role , pods running in EKS/GKE with the storage target as AWS S3 should be able to assume a role to connect to the S3 buckets.

Example or Brief can be found here : https://confluence.eng.vmware.com/display/public/AEAV/Service+User+Model

Versions:
Please specify the versions of following systems.

harbor version: [2.3.3] (via helm chart)
kubernetes 1.20.6
Cluster : GKE
Storage : AWS S3

Expected behavior and actual behavior:

  • Expected: Pods using ServiceAccounts annotated to assume a role with should have access/denial to resources as specified in the policies attached to the role. These assume role credentials generates session token with the validity of 12 hours. Need a mechanism to re-establish connection with the AWS before the session token expiry.

  • Actual: Since pods are not assuming the role, one cannot, for instance, use s3 as a storage backend for the registry.
    Currently Harbor doesn't support this kind of AWS connectivity and it is a blocker for us to get on-boarded with VMware CloudGate.

It would be great if this feature request can be prioritised as

BLOKER : Currently It is a Hard blocker from Harbor for us to get TanzuNet Production AWS accounts to get on-boarded with VMware CloudGate. Having this feature request implemented resolves our blocker.

Let me know if any further details are required.

Thanks,
@Tejuvmware Tejuvmware mentioned this issue May 17, 2023
Closed
@zyyw zyyw transferred this issue from goharbor/harbor-helm May 18, 2023
@Vad1mo
Copy link
Member

Vad1mo commented May 19, 2023

duplicate of #16490 and #12888

@Vad1mo Vad1mo closed this as completed May 19, 2023
@Tejuvmware Tejuvmware changed the title Add Feature "Service User Model" ( Assume Role ) for Harbor to S3 Storage Add Feature :: Harbor to "Assume Role" to connect AWS S3 Storage Jun 20, 2023
@msha01
Copy link

msha01 commented Jul 3, 2023

This feature has dependency on 3rd Party team - Distribution. Maintainers of Distribution Harbor are accepting only critical CVE fixes and critical bug fixes as of now.

If the Assume Role feature request is prioritized by Harbor maintainers, it will be available only in the Major release v3.0; there will be no 2.9 release.

Harbor team is awaiting response from Distribution team and therefore there is no concrete time line for this feature request implementation.

@Tejuvmware
Copy link
Author

Tejuvmware commented Jul 3, 2023
edited

@msha01 ,

Can you please share the JIRA/PR raised against the distribution team where you are awaiting for their response ? What is the tentative timeline for the release v3.0 ?

Could you please keep this PR open until it gets resolved? As I don't have access to re-open the same PR.

Thank you,

@yanji09
Copy link

yanji09 commented Jul 4, 2023

@Tejuvmware this issue was marked as duplicated one which Vadim commented here. from harbor side, don't have details when will distribution release 3.0.

This was referenced Jul 10, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Vad1mo @yanji09 @Tejuvmware @msha01