Support EKS IAM Service Accounts (Web identity Providers)
AWS EKS recently released a new feature where you can have a service account per pod https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html to provide isolation. When s3 cache is configured for the Runner and it's configured to use the IAM roles, it fails to pick up the IAM role and ends up timing out with
ERROR: error while generating S3 pre-signed URL error=Get http://169.254.169.254/latest/meta-data/iam/security-credentials: dial tcp 169.254.169.254:80: i/o timeout.
In GitLab Runner we are using the minio-go SDK to connect with AWS, and it seems like
Web identity Providers are not supported https://github.com/minio/minio-go/issues/1156 because the IAM token path is exposed with a new environment variable
AWS_WEB_IDENTITY_TOKEN_FILE. So our dependency does not support Web identity providers on EKS.
- Provide a patch upstream to mino, which seem to be open for https://github.com/minio/minio-go/issues/1156#issuecomment-530113464
- Update our minio dependency, this is where it gets a bit complicated. We have been working on upgrading the minio dependency in !1023 (closed) but are blocked becuase of Go modules which we need to update our Runner codebase to use with upgrade, we already have a WIP MR to upgrade Go version and add Go module support in !1625 (merged). So this issue is until we upgrade to go1.13.