Using your runner's IRSA IAM role within a workflow job container

[toast-gear]

A correctly configured IRSA setup will bootstrap your runners IAM role onto the runner automatically, at this point your runner will have the permissions of the associated IAM role. You may want to bring those permissions into a conatiner defined in a workflow, for example:

name: My Awesome Workflow

on:
  workflow_dispatch:

jobs:
  checks:
    runs-on: self-hosted
    container:
      image: amazon/aws-cli:latest
    steps:
        - run: aws sts get-caller-identity

With this pipeline, our defined container amazon/aws-cli won't have any AWS rights as the bootstrapped token is on the runner, not in the amazon/aws-cli:latest container. As a result of this our aws sts call would fail. In order to bring our runner's bootstrapped IAM role into our container we must manually port the environment variables IRSA creates as well as mount of web identity token into our container:

name: My Awesome Workflow

on:
  workflow_dispatch:

jobs:
  checks:
    runs-on: self-hosted
    container:
      image: amazon/aws-cli:latest
      env:
        AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
        # This should be the same role that is being bootstrapped onto our runner 
        AWS_ROLE_ARN: arn:aws:iam::xxxx:role/runner-irsa-role
      volumes:
        - /var/run/secrets/eks.amazonaws.com/serviceaccount/token:/var/run/secrets/eks.amazonaws.com/serviceaccount/token
    steps:
        - run: aws sts get-caller-identity

[krzyzakp]

Had same problem, your solution works indeed. However, based on official docs adding serviceAccountName and fsGroup should be sufficient - but is not.

[toast-gear]

We try not to get too cloud specific in the docs for various reasons, as a result the docs only cover the initial configuration needed to bootstrap your IRSA role onto the runner itself. The docs don't go into the more advanced usage, you should be able to issue aws commands from the runner itself using the official docs.

[jpke]

Running the solution now results in this error:

Error: Volume mounts outside of the work folder are not supported

Is there an updated approach for using IRSA creds in a workflow job container?

[veronicatjan]

Having the same problem, and also encountered this error.
Error: Volume mounts outside of the work folder are not supported

Raise an issue #2754

[veronicatjan]

This can be done using solution from actions/runner-container-hooks#50