Support EKS Pod Identities for Signing S3 Bundle Requests

[alghanmi]

What is the underlying problem you're trying to solve?

Currently, OPA supports AWS Signatures using IAM Roles for Service Accounts (IRSA) in EKS to sign and retrieve bundles. EKS Pod Identities is new way to manage permissions in EKS and would like OPA to add support for it.

Describe the ideal solution

I don't know if this solution is inline with the OPA project policies, but if OPA used the AWS SDK to access S3 an SDK upgrade would have added support for EKS Pod Identities. That said, I understand if the project does not want to uptake the SDK.

Describe a "Good Enough" solution

Similar to OPA's support of IRSA, Pod Identities export the AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE that can be used to retrieve the auth token.

Additional Context

In November 2023, AWS announced EKS Pod Identity which is a a new feature that simplifies Kubernetes applications to obtain AWS IAM permissions. It is in a way the successor to IAM Roles for Service Accounts (IRSA). Many Kubernetes administrators are migrating from IRSA to Pod Identities for its simplified workflow, the ability to share roles across clusters and its support of session tags.

[ashutosh-narkar]

Adding a new method to provide creds seems fine. Feel free to contribute if you'd like. OPA does not vendor the SDK but you can see the implementations of existing providers for reference. Also the code here might be helpful.