SQS Connector: authenticate using roles?

albx79 · August 4, 2023, 2:39pm

Hi all,

I have a Camunda instance running in our EKS cluster, which needs to receive messages from SQS.

The cluster’s nodes are already configured to connect to all AWS services using role-based authentication, but apparently the connector has to be configured with access and secret keys (the modeller flags an error if I leave them blank).

Is there no way to connect using roles? Basically Camunda wouldn’t need to do anything, just delegate authentication to the AWS SDK.

Thanks
Alberto

WilliamR.Alves · August 5, 2023, 3:36am

Hello my friend!

Personally, I’m not familiar with Camunda 8, but in Camunda 7, I perform configurations using the AWS SDK to retrieve parameters from the Parameter Store, for example, and return them to my Camunda application through a getter method.

For example: The AWS SDK fetches the API Key and returns it to my Java code. I created a class called PropertiesService with a getter method that retrieves the value of the API Key. Then, I use it in a Camunda field called Authorization like this:
apikey #{PropertiesService.getMyApiKey()}

I hope this helps in some way.

And please, if anyone has an easier way to assist our friend, feel free to share!

William Robert Alves

albx79 · August 7, 2023, 7:20am

Hi William,

Thanks for your response, I think I get the gist of it. Basically I need to implement my own “plugin” (for I don’t know of a better term) that uses role-based authentication to get the two secrets Camunda needs.

This is certainly a workable solution, although, as you mentioned, a bit over-complicated. Basically using role-based authentication to provide secrets to a process that could do without those secrets, because we have role-based authentication…

Let’s hope a simpler solution exists!

Alberto

igpetrov · October 18, 2023, 3:12pm

Hi @albx79,

Thank you for your inquiry.

We investigate the feature request. I am not too familiar with EKS role management, so the open question for me right now, whether you know, when you assign a role to your cluster, is it profile-based, or web-token based?

I am just wondering, where do I get the role or token? I have a gut feeling, that it is STS-emitted web-token but not entirely sure. Besides, it may differ from setup to setup.

Thank you.

igpetrov · October 19, 2023, 2:48pm

Hi @albx79,

Also upon exploring WebIdentityTokenCredentialsProvider which works with role-based AuthN, I see it seeks for the following values Role ARN (environment variable AWS_ROLE_ARN), Role Session Name (environment variable AWS_ROLE_SESSION_NAME), and Web Identity Token File (environment variable AWS_WEB_IDENTITY_TOKEN_FILE). If the values are not specified during code execution, they are falling back to environment variable values.

Could you please check that the environment variables are set in your EKS pods?

Thank you!

albx79 · December 7, 2023, 11:38am

Hi,

Just a quick followup for anyone passing by: since the latest release, the connector supports role-based authentication (for self-managed instances only).

In the authentication drop-down, you simply select “role-based”, and you no longer need to add secrets and keys.

Best regards,
Alberto