Skip to content

feat: Add AWS Role Chaining support for Workload Identity Federation #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
katamotokosuke merged 1 commit into from
Jan 20, 2026
Merged

feat: Add AWS Role Chaining support for Workload Identity Federation #107

katamotokosuke merged 1 commit into from
Jan 20, 2026

Conversation

@katamotokosuke
Copy link
Contributor

@katamotokosuke katamotokosuke commented Jan 19, 2026

Summary

  • AWS Role Chainingをサポートし、長時間実行ジョブでの自動認証情報リフレッシュを実現
  • 静的なAWS認証情報(aws_access_key_id等)をAssumeRoleベースの認証に置き換え
  • 認証情報の有効期限5分前に自動リフレッシュ

Background

AWS Role Chainingを使用する場合、AWSの仕様により最大セッション時間が1時間に制限されます。従来の実装では静的なAWS認証情報を設定で受け取っていたため、プラグイン内部でのリフレッシュができず、1時間以上のジョブで認証情報が期限切れになる問題がありました。

Changes

ファイル 変更内容
AwsRoleCredentialsSupplier.java 新規 - AssumeRole + 自動リフレッシュ
WorkloadIdentityFederationConfig.java 設定項目を変更
WorkloadIdentityFederationAuth.java Supplierパターンに変更
WorkloadIdentityFederationCredentials.java CacheKey変更
shadow-google-cloud-bigquery-helper/build.gradle AWS SDK STS依存関係を追加
AwsRoleCredentialsSupplierTest.java 新規
WorkloadIdentityFederationAuthTest.java 新規

Breaking Changes

設定スキーマが変更されます:

# Before
workload_identity_federation:
  config: /path/to/wif-config.json
  aws_access_key_id: AKIAXXXXXXXXXX
  aws_secret_access_key: xxxxxxxxxxxxx
  aws_session_token: xxxxx
  aws_region: ap-northeast-1

# After
workload_identity_federation:
  config: /path/to/wif-config.json
  aws_role_arn: arn:aws:iam::123456789012:role/role-name
  aws_role_session_name: embulk-bigquery-output  # optional, default: "embulk-bigquery-output"
  aws_region: ap-northeast-1                      # optional, default: "ap-northeast-1"

Test plan

  • ユニットテスト実行 (./gradlew test)
  • EKS環境での統合テスト(IRSA使用)

🤖 Generated with Claude Code

@katamotokosuke @claude
feat: Add AWS Role Chaining support for Workload Identity Federation
0acd789 
Replace static AWS credentials with AssumeRole-based authentication
to support automatic credential refresh for long-running jobs.

Changes:
- Add AwsRoleCredentialsSupplier for AssumeRole + auto-refresh (5 min before expiry)
- Update WorkloadIdentityFederationConfig: replace aws_access_key_id/secret/session_token with aws_role_arn
- Update WorkloadIdentityFederationAuth to use AwsSecurityCredentialsSupplier pattern
- Update WorkloadIdentityFederationCredentials with new cache key based on role ARN
- Add AWS SDK STS dependency
- Add unit tests for AwsRoleCredentialsSupplier and WorkloadIdentityFederationAuth

BREAKING CHANGE: Configuration schema changed
- Removed: aws_access_key_id, aws_secret_access_key, aws_session_token
- Added: aws_role_arn, aws_role_session_name (optional)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@katamotokosuke
Copy link
Contributor Author

katamotokosuke commented Jan 20, 2026

動作確認のため一旦マージします

@katamotokosuke katamotokosuke merged commit 60577d1 into master Jan 20, 2026
1 check passed
@katamotokosuke katamotokosuke deleted the fix-assume-role branch January 20, 2026 01:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@katamotokosuke