Amazon EKS integration should use IAM instance profiles and work without static credentials
Right now we require admins to enter in an access key and a secret key ID to access an EKS cluster. However, we shouldn't require static credentials. If an instance is granted an IAM role (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html), then we don't need these at all.
I believe this works if you omit the credentials from the Aws::Sts::Client
:
diff --git a/app/services/clusters/aws/fetch_credentials_service.rb b/app/services/clusters/aws/fetch_credentials_service.rb
index 96abbb43969..78d3bef6253 100644
--- a/app/services/clusters/aws/fetch_credentials_service.rb
+++ b/app/services/clusters/aws/fetch_credentials_service.rb
@@ -30,7 +30,7 @@ def execute
attr_reader :provider, :region
def client
- ::Aws::STS::Client.new(credentials: gitlab_credentials, region: region)
+ ::Aws::STS::Client.new(region: region)
end
The AWS SDK will then attempt to fetch credentials for the instance.