add support for authentication with EKS Pod Identities (#1944)

Signed-off-by: Steven <saweber@gmail.com>

pkg/credentials/iam_aws.go

@@ -61,6 +61,7 @@ type IAM struct {
 	// Support for container authorization token https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
 	Container struct {
 		AuthorizationToken     string
+		AuthorizationTokenFile string
 		CredentialsFullURI     string
 		CredentialsRelativeURI string
 	}
@@ -105,6 +106,11 @@ func (m *IAM) Retrieve() (Value, error) {
 		token = m.Container.AuthorizationToken
 	}
 
+	tokenFile := os.Getenv("AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE")
+	if tokenFile == "" {
+		tokenFile = m.Container.AuthorizationToken
+	}
+
 	relativeURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
 	if relativeURI == "" {
 		relativeURI = m.Container.CredentialsRelativeURI
@@ -181,6 +187,10 @@ func (m *IAM) Retrieve() (Value, error) {
 
 		roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
 
+	case tokenFile != "" && fullURI != "":
+		endpoint = fullURI
+		roleCreds, err = getEKSPodIdentityCredentials(m.Client, endpoint, tokenFile)
+
 	case fullURI != "":
 		if len(endpoint) == 0 {
 			endpoint = fullURI
@@ -305,6 +315,18 @@ func getEcsTaskCredentials(client *http.Client, endpoint, token string) (ec2Role
 	return respCreds, nil
 }
 
+func getEKSPodIdentityCredentials(client *http.Client, endpoint string, tokenFile string) (ec2RoleCredRespBody, error) {
+	if tokenFile != "" {
+		bytes, err := os.ReadFile(tokenFile)
+		if err != nil {
+			return ec2RoleCredRespBody{}, fmt.Errorf("getEKSPodIdentityCredentials: failed to read token file:%s", err)
+		}
+		token := string(bytes)
+		return getEcsTaskCredentials(client, endpoint, token)
+	}
+	return ec2RoleCredRespBody{}, fmt.Errorf("getEKSPodIdentityCredentials: no tokenFile found")
+}
+
 func fetchIMDSToken(client *http.Client, endpoint string) (string, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()