Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to source credential on Amazon EKS IAM Roles for Service Account #83

Closed
yantk-hk opened this issue Oct 16, 2020 · 6 comments
Closed

Failed to source credential on Amazon EKS IAM Roles for Service Account #83

yantk-hk opened this issue Oct 16, 2020 · 6 comments
Assignees
@PettitWesley
Labels
bug Something isn't working

Comments

@yantk-hk
Copy link

yantk-hk commented Oct 16, 2020
edited
Loading

Upon upgrade to aws-for-fluent 2.8 (fluent bit 1.6)
Following error messages keep appearing and it shows the pod or fluent bit keep sourcing AWS credential from the underlying EKS worker node (EC2 instance) rather than the annotated EKS IAM Roles for Service Account (IRSA).

[2020/10/16 09:52:24] [error] [output:es:es.3] HTTP status=403 URI=/_bulk, response: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::XXX873347XXX:role/eksctl-cluster-1-nodegroup-ng-al1-NodeInstanceRole-7GZZR0O6HRQS, backend_roles=[arn:aws:iam::XXX873347XXX:role/eksctl-cluster-1-nodegroup-ng-al1-NodeInstanceRole-7GZZR0O6HRQS], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::XXX873347XXX:role/eksctl-cluster-1-nodegroup-ng-al1-NodeInstanceRole-7GZZR0O6HRQS, backend_roles=[arn:aws:iam::XXX873347XXX:role/eksctl-cluster-1-nodegroup-ng-al1-NodeInstanceRole-7GZZR0O6HRQS], requestedTenant=null]"},"status":403}

The config of fluent bit is here:

[OUTPUT]
    Name            es
    Match           kube.*
    Host            amazon-es-domain.ap-southeast-1.es.amazonaws.com
    Port            443
    TLS             On
    Logstash_Format On
    Logstash_Prefix eks-cluster-1
    Retry_Limit     10
    AWS_Auth        On
    AWS_Region      ap-southeast-1
    Generate_ID     On
    Replace_Dots    On
@yantk-hk yantk-hk reopened this Oct 16, 2020
@PettitWesley PettitWesley self-assigned this Oct 22, 2020
@PettitWesley PettitWesley added the bug Something isn't working label Oct 22, 2020
@PettitWesley
Copy link
Contributor

Duplicate of: fluent/fluent-bit#2714

@PettitWesley
Copy link
Contributor

It is a bug; I'm working on fixing it

@PettitWesley
Copy link
Contributor

Downgrade to 2.7.0 to fix it

@hoegertn
Copy link

I can confirm that this happens on ECS/Fargate with Firelens also.

Setting AWS_STS_Endpoint as advised in the referenced ticket helps.

@PettitWesley
Copy link
Contributor

This was fixed in Fluent Bit upstream 1.6.2

AWS for Fluent Bit has not released yet because are trying to fix fluent/fluent-bit#2715

@PettitWesley
Copy link
Contributor

This was fixed in the latest release: https://github.com/aws/aws-for-fluent-bit/releases/tag/v2.9.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PettitWesley PettitWesley

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hoegertn @PettitWesley @yantk-hk