feature: allow use of short lived creds for local container #3501
Conversation
wcarpenter1-godaddy
changed the title
wcarpenter1-godaddy
changed the title
wcarpenter1-godaddy
requested review from
claytonparnell
and removed request for
a team
Yes, this would fix the issue perfectly :). Seems reasonable to me having it as an env var. I think there might need to be some more documentation on setting the env var. I don't think users would be able to find this option without going through the source code. Another thought I had was making this an option to the |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
mufaddal-rohawala
force-pushed
the
master
branch
from
bae3b8b to
d000bdc
Compare
navinsoni
force-pushed
the
user-short-lived-credentials-override
branch
from
2531f2f to
d8c6df8
Compare
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
@navinsoni thanks for helping run the checks. what is the process for getting this PR merged? |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Hi @wcarpenter1-godaddy , I apologize Navin went on parental leave and nobody picked this up; I can help get it merged, just need a few things. Could you please:
|
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
😄 😭 😄 Thanks @claytonparnell ! |
wcarpenter1-godaddy
deleted the
user-short-lived-credentials-override
branch
* build: reset soft * docs(docs): update docs with USE_SHORT_LIVED_CREDENTIALS bullet * style(format): fix rst code format
* build: reset soft * docs(docs): update docs with USE_SHORT_LIVED_CREDENTIALS bullet * style(format): fix rst code format
Issue #, if available:
#3464
Description of changes:
This change allows the user to tell the sagemaker local container to use short-lived credentials in the session. This is necessary if you would like to use local mode on an ec2 machine and maintain the session's creds for which you have assumed a role, instead of having SM automatically use the ec2 machine's metadata credentials.
Our use case is that we run Sagemaker local endpoint deploy during our Github Actions CI/CD to verify that the Sagemaker endpoint is valid before initiating an actual deploy. We are using a custom container for the endpoint. The container has code to fetch AWS secrets from the assumed-role in the GHA session. Since SM currently forces the container to use metadata credentials, we are unable to find the correct secrets, and so our local deploy fails.
By allowing SM to use the assumed-role session's credentials when operating on and EC2, it should allow our local deploy to work as expected.
Testing done:
I've installed the forked repo's changes on our project and it fixed the issue outlined above.
Merge Checklist
Put an
xin the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your pull request.General
Tests
unique_name_from_baseto create resource names in integ tests (if appropriate)By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.