Support AWS EKS Pod Identity to authenticate against S3 Buckets #6840
Description
Is your feature request related to a problem? Please describe.
Currently, Testkube does not support using Amazon EKS Pod Identity for authenticating against AWS S3 buckets. This means that when running tests or handling artifacts stored in S3, users must rely on static AWS credentials (through environment variables, IAM roles for service accounts, or secret mounts). This setup makes it harder to securely manage credentials and leverage the native authentication mechanism provided by AWS for EKS workloads.
Describe the solution you'd like
Add support for EKS Pod Identity as an authentication mechanism for AWS services, particularly for accessing S3 buckets. When Testkube is running within an EKS cluster configured with Pod Identity, it should automatically authenticate using the IAM role associated with the pod, without requiring any manual credential setup.
This would involve detecting and using the pod’s IAM credentials via the AWS SDK’s default credential provider chain, ensuring seamless and secure access to S3 resources.
Describe alternatives you've considered
- Using IRSA (IAM Roles for Service Accounts), which requires additional configuration and still needs explicit IAM role annotation. IRSA also comes with higher administrative effort compares to EKS Pod Identity
- Providing static AWS credentials through environment variables or Kubernetes secrets, which introduces security risks and maintenance overhead.
These alternatives work but do not provide the same level of security and simplicity as native Pod Identity authentication.
Additional context
EKS Pod Identity offers a more secure and streamlined solution compared to IRSA, eliminating the need for managing AWS access keys or role annotations. This enhancement would improve integration with AWS environments, reduce operational complexity, and align with AWS best practices for workload authentication.
If I understand the logic correctly testkube is using minio for uploading artifacts to S3 buckets. Minio introduced EKS Pod Identity support in version v7.0.70 (refer to following release notes https://github.com/minio/minio-go/releases/tag/v7.0.70)
If I'm not entirely mistaken, updating minio-go dependency (https://github.com/kubeshop/testkube/blob/main/go.mod#L52) to a new version (latest available one v7.0.95) might already be sufficient to support EKS Pod Identity. But maybe I overlooked any other place which needs to be adapted.