From 722810166598ab9d7ad646eaface84cb1e45be24 Mon Sep 17 00:00:00 2001 From: zhaoqiang wang Date: Mon, 9 Mar 2026 20:45:43 +0900 Subject: [PATCH] fix(validate-env): add IRSA and EKS Pod Identity support for Bedrock auth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, the Bedrock credential validation only accepted static IAM user keys (AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY) or a bearer token (AWS_BEARER_TOKEN_BEDROCK), which forced users to create long-lived IAM user credentials — a security anti-pattern in containerized environments. This commit adds support for two additional AWS credential mechanisms that are natively supported by the AWS SDK credential provider chain: - IRSA (IAM Roles for Service Accounts): requires both AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN to be set together - EKS Pod Identity: requires both AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE to be set together Partial configuration of either mechanism (only one of a required pair) now produces a specific, actionable error message rather than falling through to a generic 'no credentials found' failure. --- base-action/src/validate-env.ts | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/base-action/src/validate-env.ts b/base-action/src/validate-env.ts index 1f28da37e..e067eefc9 100644 --- a/base-action/src/validate-env.ts +++ b/base-action/src/validate-env.ts @@ -36,13 +36,40 @@ export function validateEnvironmentVariables() { errors.push("AWS_REGION is required when using AWS Bedrock."); } - // Either bearer token OR access key credentials must be provided + // IRSA (IAM Roles for Service Accounts) — requires both vars together + const awsWebIdentityTokenFile = process.env.AWS_WEB_IDENTITY_TOKEN_FILE; + const awsRoleArn = process.env.AWS_ROLE_ARN; + + // EKS Pod Identity — requires both vars together + const awsContainerCredentialsFullUri = process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI; + const awsContainerAuthorizationTokenFile = process.env.AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE; + const hasAccessKeyCredentials = awsAccessKeyId && awsSecretAccessKey; const hasBearerToken = awsBearerToken; + const hasIRSA = !!(awsWebIdentityTokenFile && awsRoleArn); + const hasPodIdentity = !!(awsContainerCredentialsFullUri && awsContainerAuthorizationTokenFile); + + // Warn on incomplete IRSA configuration + if (!!(awsWebIdentityTokenFile || awsRoleArn) && !hasIRSA) { + errors.push( + "Incomplete IRSA configuration: both AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN must be set together.", + ); + } + + // Warn on incomplete EKS Pod Identity configuration + if (!!(awsContainerCredentialsFullUri || awsContainerAuthorizationTokenFile) && !hasPodIdentity) { + errors.push( + "Incomplete EKS Pod Identity configuration: both AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE must be set together.", + ); + } - if (!hasAccessKeyCredentials && !hasBearerToken) { + if (!hasAccessKeyCredentials && !hasBearerToken && !hasIRSA && !hasPodIdentity) { errors.push( - "Either AWS_BEARER_TOKEN_BEDROCK or both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are required when using AWS Bedrock.", + "No valid AWS credentials found for Bedrock. Please provide one of the following:\n" + + " 1. Static credentials: AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY\n" + + " 2. Bedrock bearer token: AWS_BEARER_TOKEN_BEDROCK\n" + + " 3. IRSA: AWS_WEB_IDENTITY_TOKEN_FILE + AWS_ROLE_ARN\n" + + " 4. EKS Pod Identity: AWS_CONTAINER_CREDENTIALS_FULL_URI + AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE", ); } } else if (useVertex) {