-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting the env. variables (AWS_ROLE_ARN & AWS_WEB_IDENTITY_TOKEN_FILE) on a pod/container running in EKS. The go application will still try to use the IAM role specified by the EC2 metadata. #3101
Comments
Also happening in newer aws-sdk-go: 1.28.11 with go version go1.13.5 |
+1 |
I ran into this issue in v1.20 and resolved by upgrading to v1.29.26 |
Also, hashicorp/terraform#22992 (comment) this comment contains a workaround for setting traditional credential envars from a token file |
Hi @steven-cherry, apologies for the long delay in response from our end on this. The kubernetes/cloud-provider-aws repo you mention appears to be using version 1.16.26 of the AWS SDK for Go which was released in Jan 2019 - at the time, EKS did not support web identity token files so functionality for this had not been implemented in that version of the AWS SDK for Go. I see you mentioned you're using v1.28.2 of the SDK, are you building this cloud controller on your end using this version of the SDK? If not, where does this version of the SDK come into play on your end? I was able to create an EKS cluster that uses a role named I used an STS I hope this information helps, but please do feel free to reach out if you have additional questions for us about this. |
Please fill out the sections below to help us address your issue.
Version of AWS SDK for Go?
v1.28.2
Version of Go (
go version
)?1.13.5
What issue did you see?
When running an application in an EKS cluster and specifying the following environment variables on the pod/container
AWS_ROLE_ARN=......
AWS_WEB_IDENTITY_TOKEN_FILE=......
the IAM role that the EC2 metadata refers to is still used by the application and not the role specified by the AWS_ROLE_ARN environment variable.
Steps to reproduce
If you have an runnable example, please include it.
Run the following 'cloud controller' in a EKS cluster,
https://github.com/kubernetes/cloud-provider-aws
try and deploy for example an 'ELB' using the appropriate annotations listed in,
https://github.com/kubernetes/kubernetes/blob/e4b0a935fa393944b6322fa6ef0970d858ad70f6/pkg/cloudprovider/providers/aws/aws.go#L98
whilst having the following environment variables set to appropriate values
AWS_ROLE_ARN=......
AWS_WEB_IDENTITY_TOKEN_FILE=......
the application will still try and deploy the ELB using the IAM role attached to the underlying EC2 instance.
The text was updated successfully, but these errors were encountered: