task-runner unable to use webidentity OIDC on EKS

Summary

Since task-runner is using s3cmd it can't connect to S3 using OIDC webidentity when using EKS annotation: eks.amazonaws.com/role-arn. There is a Pull request on s3cmd that need to be upvoted and merged https://github.com/s3tools/s3cmd/pull/1112

Some thumbs and hearts will help.

Current behavior

When using annotation eks.amazonaws.com/role-arn the s3cmd doesn't support OIDC webidentity. It's necessary to specify AWS credentials on .s3cfg

Expected behavior

Task-runner should connect to S3 with credentials from OIDC webidentity

Acceptance

A shell within the task-runner Pod has the ability to access S3 buckets when making use of EKS Role / SA ARNs.

Testing:

Spin up an EKS cluster
Spin up 1+ buckets for testing, and associate access via ARNs
Configure this chart to make use of those buckets, and the global.serviceAccount.annotations per documentation.
kubectl exec into the deployed task-runner Pod, and attempt the following commands, which should all succeed:
- s3cmd ls BUCKET
- s3cmd cp BUCKET/thing /tmp/
- s3cmd cp /tmp/other BUCKET/other
- s3cmd ls BUCKET

Edited Oct 20, 2021 by Jason Plum