Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ex_aws and ex_aws_sts does not seems to support IAM authentication within EKS? #1057

Open
danibachar opened this issue May 22, 2024 · 4 comments
Open

ex_aws and ex_aws_sts does not seems to support IAM authentication within EKS? #1057

danibachar opened this issue May 22, 2024 · 4 comments

Comments

@danibachar
Copy link

  • Do not use the issues tracker for help or support (try Elixir Forum, Slack, IRC, etc.)
  • Questions about how to contribute are fine.

Environment

  • Elixir & Erlang versions (elixir --version):1.16
  • ExAws version mix deps |grep ex_aws: 2.5.2 (ex_aws_s3: 2.5.2, ex_aws_sts: latest)
  • HTTP client version. IE for hackney do mix deps | grep hackney

Current behavior

I have an EKS cluster, when deploying a Deployment using a docker file. The SDK seems to fail to authenticate with the the ServiceAccount that is attached to that deployment.
It seems to default to an instance_role and auth with an IAM role of the nodes in the cluster.
In our example this IAM role does not have permissions to operate with an S3 bucket. Only the IAM role we have configure with the ServiceAccount.

I have checked that the newly create IAM role has succfient permissions and can operate with the relevant S3

Expected behavior

Working within EKS the SDK should work like any other AWS SDK and allow assuming/working with the IAM role that is attached to a Pod/Deployment using a ServiceAccount
@pepicrft
Copy link

👋🏼 We are interested in contributing to this. Could you let us know if this aligns with the library's direction and perhaps provide some pointers around how you'd expect it to be implemented?

@danibachar
Copy link
Author

Thanks Pedro!
the containers in your Pods must use an AWS SDK version that supports assuming an IAM role through an OpenID Connect web identity token file.

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html

@arifken
Copy link

arifken commented May 24, 2024

To add to what to @danibachar, in order for this sdk to be able to run properly in EKS using service accounts, I think you'll need to implement something like this in the default credential provider chain for this SDK.

@RobinFrcd
Copy link

Hi,
Is there any known workaround right now ? Giving permissions to the node (instance) directly is clearly a very bad practice, and I would like to avoid that as much as possible.

Thanks !

@RobinFrcd RobinFrcd mentioned this issue Jun 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arifken @pepicrft @danibachar @RobinFrcd