Update aws-go-sdk to support EKS Pod Identity

[bhvishal9]

Is your feature request related to a problem? Please describe.
Currently boundary doesn't support EKS pod identity which is a much simpler way to provide AWS access. The newer versions of aws-sdk-go support EKS pod identity, it was added in version 1.47.1.

There is an error if you use the latest version of boundary 0.18.0 on EKS

Error parsing KMS configuration: error setting configuration on the kms plugin: rpc error: code = Unknown desc = error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Describe the solution you'd like
Boundary should work on EKS if using EKS pod identity for providing KMS access.

Describe alternatives you've considered
The other solution is to use IAM roles for service accounts or pass access keys/secret access keys to the configuration.

[Rachana-hashi]

Hi there,
Thank you for reaching out to us. I had a few questions regarding this ask.

1. Is the error posted below received when using EKS pod identity with boundary 0.18?
   Error parsing KMS configuration: error setting configuration on the kms plugin: rpc error: code = Unknown desc = error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors

2. Have you tried using EKS pod identity work with any earlier versions of boundary? Just wanted to understand if the error is because of the 0.18 version of boundary or because there is no support.

3. With the alternative you provided, does it give you the desired outcome? Are you able to use EKS pod identity for KMS access

[bhvishal9]

Hey @Rachana-hashi Sorry for not providing those details before but here it is:

1. Yes, I was using version 0.18.
2. I tried 0.17 as well and had same issue, I think it is because there is no support for it yet as the go aws sdk version seems older than the version that started supporting pod identity.
3. No, those are alternatives to pod identity itself, I can either use the older methods like IAM roles for service accounts(IRSA)/access keys-secret access keys or I can use the pod identity.

[Rachana-hashi]

Hi Vishal,

Thanks for answering the questions. Are you using Vault with Boundary here?

[bhvishal9]

Hi Vishal,

Thanks for answering the questions. Are you using Vault with Boundary here?

Hey @Rachana-hashi , in what capacity? If you mean as credential library for my targets, then yeah. If you mean, for getting AWS credentials, no.