如何使用aws中的web标识令牌使用go进行身份验证

Question

我正在尝试编写一个示例，说明如何在容器中使用web标识令牌来执行EC2操作。容器规范包含服务帐户，并具有访问令牌路径的必要权限，其命名空间是角色中的受信任实体。

package main

import (
    "fmt"

    "github.com/aws/aws-sdk-go/aws"
    "github.com/aws/aws-sdk-go/aws/credentials"
    "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
    "github.com/aws/aws-sdk-go/aws/session"
    "github.com/aws/aws-sdk-go/service/ec2"
    "github.com/aws/aws-sdk-go/service/sts"
)

func main() {

    sess, _ := session.NewSession()
    config := aws.NewConfig().WithRegion("us-east-1")

    stsSTS := sts.New(sess)
    roleARN := "arn:aws:iam::1234567:role/s2-p0o5-csi-drivers-ebs-cloud-credentials"

    roleProvider := stscreds.NewWebIdentityRoleProviderWithOptions(stsSTS, roleARN, "gosession", stscreds.FetchTokenPath("/build/token"))

    creds := credentials.NewCredentials(roleProvider)
    credValue, _ := roleProvider.Retrieve()
    fmt.Printf("credValue.AccessKeyID: %v\n", credValue.AccessKeyID)
    fmt.Printf("credValue.SecretAccessKey: %v\n", credValue.SecretAccessKey)
    fmt.Printf("credValue.SessionToken: %v\n", credValue.SessionToken)

    config = config.WithCredentials(creds)

    nodeID := "i-00843f27cfeb0beff"
    svc := ec2.New(sess, config)
    request := &ec2.DescribeInstancesInput{
        InstanceIds: []*string{&nodeID},
    }

    result, _ := svc.DescribeInstances(request)
    fmt.Printf("result: %v\n", result)
}

结果的值为空。然而，我已经将(credValue.AccessKeyID、credValue.SecretAccessKey、credValue.SessionToken)导出为环境变量，aws为我提供了与描述实例相关的输出。

我尝试过各种方法，比如使用凭据信息的credentials.NewStaticCredentials()，但是没有成功。一些人能帮助分享关于哪里出了问题和正确做法的提示吗？

Answer 1

所使用的实例id在区域中应该是可获得的，否则它将返回一个带有err == 0的空映射。