Skip to content

[blast] Add credentials-based K8s authentication for service users#7945

Draft
yangw-dev wants to merge 1 commit intomainfrom
elainewy/from-credentials
Draft

[blast] Add credentials-based K8s authentication for service users#7945
yangw-dev wants to merge 1 commit intomainfrom
elainewy/from-credentials

Conversation

@yangw-dev
Copy link
Copy Markdown
Contributor

@yangw-dev yangw-dev commented Apr 9, 2026

Add K8sClient.from_credentials() as an alternative to kubeconfig-based auth. This allows external services to connect using AWS access keys and optionally assume an IAM role, without needing a kubeconfig file.

  • New CredentialsConfig dataclass for AWS credentials settings
  • from_credentials() classmethod generates EKS tokens via presigned STS URLs (same mechanism as aws eks get-token)
  • BLAST_FROM_CREDENTIALS=1 env var to enable in CLI, reads AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optional BLAST_ROLE_ARN
  • Rate limiting (30 calls/60s) for credentials-based clients on write operations only (internal polling is not rate-limited)
  • _reload_client() auto-detects auth mode for token refresh

@yangw-dev
[blast] Add credentials-based K8s authentication for service users
7f27f35 
Add K8sClient.from_credentials() as an alternative to kubeconfig-based
auth. This allows external services to connect using AWS access keys
and optionally assume an IAM role, without needing a kubeconfig file.

- New CredentialsConfig dataclass for AWS credentials settings
- from_credentials() classmethod generates EKS tokens via presigned
  STS URLs (same mechanism as `aws eks get-token`)
- BLAST_FROM_CREDENTIALS=1 env var to enable in CLI, reads
  AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optional BLAST_ROLE_ARN
- Rate limiting (30 calls/60s) for credentials-based clients on
  write operations only (internal polling is not rate-limited)
- _reload_client() auto-detects auth mode for token refresh
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 9, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
torchci Ignored Ignored Apr 9, 2026 6:22am

Request Review

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yangw-dev