-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BSL.spec.config["credentialsFile"] overrides AWS Web Identity Token credentials from pod environment #7302
Comments
Credentials chain for Go is unclear to me: https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/ |
@RobKenis |
@reasonerjt We cannot unset the environment variables because we still need those for authenticating to S3 for our main backup bucket. I've attached a PR on how we may potentially work around the issue. If we support a custom credentials provider chain in the aws plugin, we can set the custom provider (like a Kubernetes secret) in the config of the BSL and then it should override the default credentials provider chain. Could you provide some feedback on this? |
I would retitle this issue to |
Describe the problem/challenge you have
We have Velero deployed on AWS EKS with IRSA. This allows the pod to assume a role with permissions on bucket A. We have another bucket (B) in another AWS account to which we want to grant permissions using an IAM User. We have the credentials configured on the BackupStorageLocation like so:
The issue is that Velero authenticates to the bucket using the IAM Role which is assumed through IRSA and does not take the static credentials into account. This could be because the default credentials chain gives priority to web identity credentials over the shared credentials file: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
Describe the solution you'd like
When explicit credentials are defined on a BackupStorageLocation, these always take first priority.
Environment:
velero version
): 5.2.0kubectl version
): 1.28.4/etc/os-release
): N/AVote on this issue!
This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.
The text was updated successfully, but these errors were encountered: