New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: Does Camel looks for IAM roles from Env variables #282
Comments
The useiamcredentials option just looks for using the ec2 IAM credentials and use them. |
@oscerd |
That's related to the underline instance. It's the IAM role with you created the ec2 instance. No the env variables are not taken into account. With the Aws2 components you can inject your own client instance and it will look to env variables if you don't provide a credential provider |
@saranyaeu2987 there are more info here: aws/aws-sdk-java-v2#1470 but you need sdk version >= |
@valdar |
@valdar is correct. This should be as easy as Camel using the correct SDK version that has support for the AWS_WEB_IDENTITY_TOKEN_FILE env var. This should just be crawled in the DefaultCredentialProvider chain that the SDK executes to find credentials. |
For the env variables for secret and access key, the standard client instance should check them out of the box |
@oscerd we are trying to get EKS role based credentials working. To be clear, this is the official AWS supported way of providing role base credentials to Kubernetes pods. Our company does not allow access key/secret keys to avoid credential management overhead (securing, cycling, invalidating etc) and enforces all AWS access to use roles. AWS added a new way to source credentials in their SDKs to support K8s pod scoped IAM roles. @valdar linked the correct issue discussing this need in the java-sdk. It was fxed via aws/aws-sdk-java-v2#1501 and released as part of AWS Java SDK See: |
Anyway, it should possible when instancing your own client. Using the correct version |
@valdar I tried both camel-aws2-s3-kafka-connector-0.2.0.jar and camel-aws-s3-kafka-connector-0.2.0.jar both gave me access issue. Below are list of plugins used. I am unsure if camel-aws2-s3-kafka-connector-0.2.0.jar and camel-aws-s3-kafka-connector-0.2.0.jar uses aws-sdk >= 2.10.11 |
Only the Aws2 connectors are based on sdk v2. The version used on 0.2.0 kafka connector of sdk v2 is 2.11.5 |
@oscerd @valdar Image 2 with following plugins obtained from https://repo1.maven.org/maven2/org/apache/camel/kafkaconnector/camel-aws2-s3-kafka-connector/0.2.0/
I feel camel-aws2-s3-.jar is giving me this error, because if I have camel-aws-s3-.jar doesnt through above error. Please guide me which jar Am I missing !! |
The scheme for aws2-s3 is aws2-s3, so it is camel.component.aws2-s3... |
You have all the information and download links here |
Yes, thats where I am getting all jars from I still getting access denied issues after using aws2-s3. TBH I am clueless |
Please report your configuration, what you're setting, how is your client instance? |
And you don't have to replace any jar in your plugin. Simply download the Aws2 s3 zipped connector and unzip it in your plugin path. Don't mix up dependencies. |
Thats what I did in last run. Configurations
|
If you use the useIAMCredential parameter, the client won't check for env variables. The documentation is clear on this: "Set whether the S3 client should expect to load credentials on an EC2 instance or to expect static credentials to be passed in." You need to provide your own client instance, like explained here: https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html
And then reference this as camel.sink.endpoint.amazonS3Client |
|
I'll try to create an example or something when I'll have time. |
Do you mean something like below ? Please let me know if I am wrong
and in kafkaconnector.yaml
|
yes, something like that |
@oscerd org.apache.camel.ResolveEndpointFailedException: Failed to resolve endpoint: aws2-s3://heb-stg-emd-store-raw-ora.pemd?keyName=s3-connect/20200619/20200619-152832018 due to: useIAMCredentials is set to false, AmazonS3Client or accessKey and secretKey must be specified Here is the kafkaconnector.yaml file
|
I do have to try. I'll have a look next week, maybe. |
Is the above error is because Is this a bug at camel-aws2-s3 because WebIdentityTokenFileCredentialsProvider is the one which looks for credentials in Env variable: AWS_WEB_IDENTITY_TOKEN_FILE? |
It's not a bug, not all the credential provider can be supported in the component out of the box. We have to choose and btw it's something else. You need to instantiate the client and from the error it's clear that the client is not in the registry. |
Any client instantiated should work. So it's definitely something in the way you are defining the client and configuring it. |
--> ok, How to check if that my custom S3 client is in registry or not and what is this registry? This is how I have added - I have created a separate jar with one class HEBS3Client with following definition
with config and added jar in docker container which have other camel files.
|
This is a followup of #267.
@valdar @oscerd
We configured EKS k8s pod with serviceaccount with IAM role for S3 authentication (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html) which will create 2 ENV variables inside pod
When I try to run Camel Sink connector, I get Access Denied issue for S3
QUESTION: Does
camel.component.aws-s3.useIAMCredentials: true
looks for IAM role arn from those env variables in Pod?The text was updated successfully, but these errors were encountered: