017, 018: AWS KMS credentials config restructure & EKS workload authentication#97
Merged
robobario merged 5 commits intokroxylicious:mainfrom Apr 21, 2026
Merged
Conversation
017 - restructure AWS KMS config to group credential providers under a
`credentials` node, with backward compat for existing flat fields
018 - add IRSA (AssumeRoleWithWebIdentity) and EKS Pod Identity
credential providers, with shared async refresh base class
References: kroxylicious/kroxylicious#1295, kroxylicious/kroxylicious#3684
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Oleksiy Pylypenko <oleksiy.pylypenko@gmail.com>
6 tasks
SamBarker
added a commit
to SamBarker/kroxylicious-design
that referenced
this pull request
Apr 13, 2026
017 and 018 were claimed by PR kroxylicious#97. Assisted-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sbarker@redhat.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk>
oleksiyp
added a commit
to oleksiyp/kroxylicious
that referenced
this pull request
Apr 13, 2026
Restructure AWS KMS configuration to group all credential providers under a `credentials` node (CredentialsConfig record). Existing top-level `longTermCredentials` and `ec2MetadataCredentials` keys remain as deprecated backward-compatible aliases — the compact constructor silently migrates them into the `credentials` node. Add EKS Pod Identity credential provider that retrieves temporary credentials from the local Pod Identity Agent endpoint. Falls back to AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variables. Design proposal: kroxylicious/design#97 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Oleksiy Pylypenko <oleksiy.pylypenko@gmail.com>
robobario
reviewed
Apr 14, 2026
Member
robobario
left a comment
robobario
left a comment
There was a problem hiding this comment.
Thanks @oleksiyp great to have your proposal, support for EKS auth would be brilliant to have.
Have put up some points, mostly asking for elaboration on the new config options. Also a paragraph of justification for using environment variables would be great as we have so far preferred explicit YAML configuration.
@k-wall is also expert in the AWS KMS so keen for him to take a look.
…ustification - Add comprehensive config options tables for IRSA and Pod Identity with field descriptions, defaults, and env var fallbacks - Add fail-fast documentation (KmsException at construction time) - Add paragraph justifying env var defaults (platform-injected values, separation of concerns, AWS SDK convention) - Document durationSeconds range (900-43200), roleSessionName default and regex, stsEndpointUrl derivation, credentialLifetimeFactor behavior Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Oleksiy Pylypenko <oleksiy.pylypenko@gmail.com>
Contributor
Author
|
@robobario addressed comments you provided in d711ee5 |
SamBarker
added a commit
to SamBarker/kroxylicious-design
that referenced
this pull request
Apr 14, 2026
017 and 018 were claimed by PR kroxylicious#97. Assisted-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sbarker@redhat.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk>
robobario
reviewed
Apr 15, 2026
Since Config.region is already required in YAML, there is no need for a separate stsRegion field or AWS_REGION env var fallback. The STS endpoint is derived as https://sts.<Config.region>.amazonaws.com by default. stsEndpointUrl remains as an optional override for non-standard partitions (China: amazonaws.com.cn, ISO: c2s.ic.gov). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Oleksiy Pylypenko <oleksiy.pylypenko@gmail.com>
k-wall
reviewed
Apr 16, 2026
Member
|
@ddaviesbrackett-dwp I know you run Kroxylicious on EC2 so are closer to the issues than me. If you have bandwidth would you mind reviewing? |
Per k-wall's review, the project has a deprecation policy even pre-1.0, so "nominally acceptable breaking changes" was incorrect framing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Oleksiy Pylypenko <oleksiy.pylypenko@gmail.com>
Contributor
Author
|
@robobario do you have any other requests to fix in this proposals? |
Member
|
nope, looks good to me thank you! I'll put a call out on the dev list to see if anyone else wants to review it, else will merge it in 24 hours. |
robobario
approved these changes
Apr 19, 2026
tombentley
reviewed
Apr 19, 2026
Member
tombentley
left a comment
tombentley
left a comment
There was a problem hiding this comment.
Thanks for this! It basically LGTM.
Claude found a few minor points which we can improve. They're mostly just clarifying the proposal itself, not changing what's being proposed.
Thanks again.
- Acknowledge Accept: application/json is undocumented in STS API - Add IAM permissions note for assumed role - Add durationSeconds effective maximum (role MaxSessionDuration) - Add credentialLifetimeFactor valid range (0, 1) - Extend fail-fast to validate roleSessionName regex and durationSeconds - Add Pod Identity trust boundary note (link-local HTTP, same as IMDS) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Oleksiy Pylypenko <oleksiy.pylypenko@gmail.com>
Contributor
Author
|
@tombentley checked comments and fixed what makes sense to me in 83ee98d |
Contributor
Author
|
@robobario can you please merge? |
Member
|
Done, thanks for that! |
oleksiyp
added a commit
to oleksiyp/kroxylicious
that referenced
this pull request
Apr 21, 2026
Restructure AWS KMS configuration to group all credential providers under a `credentials` node (CredentialsConfig record). Existing top-level `longTermCredentials` and `ec2MetadataCredentials` keys remain as deprecated backward-compatible aliases — the compact constructor silently migrates them into the `credentials` node. Add EKS Pod Identity credential provider that retrieves temporary credentials from the local Pod Identity Agent endpoint. Falls back to AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variables. Design proposal: kroxylicious/design#97 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Oleksiy Pylypenko <oleksiy.pylypenko@gmail.com>
k-wall
pushed a commit
to oleksiyp/kroxylicious
that referenced
this pull request
Apr 22, 2026
Restructure AWS KMS configuration to group all credential providers under a `credentials` node (CredentialsConfig record). Existing top-level `longTermCredentials` and `ec2MetadataCredentials` keys remain as deprecated backward-compatible aliases — the compact constructor silently migrates them into the `credentials` node. Add EKS Pod Identity credential provider that retrieves temporary credentials from the local Pod Identity Agent endpoint. Falls back to AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variables. Design proposal: kroxylicious/design#97 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Oleksiy Pylypenko <oleksiy.pylypenko@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two design proposals for the AWS KMS Record Encryption filter:
017 — Credentials config restructure: Groups all credential providers under a single
credentialsYAML node (credentials.longTerm,credentials.ec2Metadata, etc.) instead of flat top-level fields. Backward compatible — existinglongTermCredentials/ec2MetadataCredentialsYAML keeps working via migration in the record's compact constructor.018 — EKS workload authentication (IRSA & Pod Identity): Adds two new credential providers for Amazon EKS pods. IRSA exchanges a projected OIDC token via STS
AssumeRoleWithWebIdentity; Pod Identity calls the local Pod Identity Agent. Both return temporary credentials compatible with the existing SigV4 signing. Includes extraction of a shared async-refresh base class fromEc2MetadataCredentialsProvider. Depends on 017 for config structure.Prompted by review feedback on the implementation PR kroxylicious/kroxylicious#3684.
References: kroxylicious/kroxylicious#1295, kroxylicious/kroxylicious#3684
🤖 Generated with Claude Code