New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java SDK does not support EKS IAM for service accounts #1470
Comments
Having the same issue using the AWS Java SDK version: 1.11.653.
According to the documentation this version of the SDK should also work fine. My application uses the role of the node instead of the one I have added through a service account. |
@endre-synnes The issue is due to WebIdentityTokenFileCredentialsProvider is not in the default credentials provider chain The workaround for now is to specify the provider in the client initialization:
Looking forward that WebIdentityTokenFileCredentialsProvider to be added to the default credentials provider chain. |
Customers got confuse and thought once they upgraded the SDK to the listed version or above, the web identity token would be used for exchanging AWS credentials without any code changes. However, it is not the case due to WebIdentityTokenFileCredentialsProvider is not in the default credential provider chain for certain SDKs, for example: Java SDK - aws/aws-sdk-java-v2#1470 DotNet SDK - aws/aws-sdk-net#1413
@starchx Thank you! That solved the issue😄 Hope that the WebIdentityTokenFileCredentialsProvider will be added as a default soon! |
Hi all, this should be part of the default chain. We will prepare a change for this. |
@endre-synnes I am also experiencing the same problem despite the documentation saying it should work. We should file an issue at https://github.com/aws/aws-sdk-java/issues |
Fixed via #1501 and released as part of |
Hi, UPDATE
to the pod spec in order to make sure containers have access to the service token file. |
Hi, It still doesn't work for me with |
@imcheck make sure you have |
Not really. When I try to run s3 client, it says WebIdentityCredentialProvider needs Then I included
It just works :) |
Hi Jiang, Could you please let me the code snippet you have used with |
and include
|
Thank you Jiang. This was conflicting with aws sdk jar I was using. Latest versions of sdk and sts helped me. |
This is an interesting discussion and somewhat related to a use case I am trying to figure out. My service needs to access resources in a different AWS account from EKS, so I want to use profiles and assume role using a config like this:
Using the following code to access the STS client (for other purposes than assuming roles). stsClient = StsClient.builder().build(); Then I set the environment variable But when I go to run it, the service is still running as the I have found a workaround where if I specify to use profile credentials explicitly it works as expected. stsClient = StsClient.builder()
.credentialsProvider(ProfileCredentialsProvider.create())
.build(); Now this isn't a big deal as it is a small amount of additional code, but I am curious what the SDK is doing under the hood and why it is different from the CLI. A couple things to consider, EKS seems to be injecting two environment variables into the container that could be effecting the behavior Thoughts? |
Surprised that this works, but it does. Any idea why the separate declaration of sts is required? |
I still get an error trying to connect to Secrets Manager from EKS using Service Account role.
|
still happens
only after I added |
Hi,
|
|
Adding the latest v1 version (1.11.1034 today's date) for the aws-java-sdk-sts dependency solved my issue (no code needed to be touched using the method |
EKS IAM Service Account Role introduces a new environment variable "AWS_WEB_IDENTITY_TOKEN_FILE" and based on the documentation on these two pages, the Java SDK should use "AWS_WEB_IDENTITY_TOKEN_FILE" for credentials if exists.
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html#pod-configuration
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html
I have tried the latest Java SDK 2.9.19 and it doesn't seem to work. There is a similar discussion on DotNet SDK at here:
aws/aws-sdk-net#1413
I couldn't find docs saying "AWS_WEB_IDENTITY_TOKEN_FILE" is in the list of credentials chain for SDK Java 2. I am wondering if this is implemented or not.
Expected Behavior
Based on the EKS doc link above, Java SDK should recognize the environment variable "AWS_WEB_IDENTITY_TOKEN_FILE" and use it to call AssumeRoleWithWebIdentity for access/secret/session tokens.
Current Behavior
I am getting Access Denied with Java SDK in a correctly setup EKS pod with service account. In the same pod, I was able to run
aws s3 ls
and it worked, which means the token is correct.Steps to Reproduce (for bugs)
The code I am using to test is from sample S3 code at here:
https://github.com/awsdocs/aws-doc-sdk-examples/blob/master/javav2/example_code/s3/src/main/java/com/example/s3/S3BucketOps.java
I set up a pod in EKS with service account and IAM role properly setup. In the pod, I used aws cli to test the token and it worked. However, the Java SDK didn't work.
Your Environment
The text was updated successfully, but these errors were encountered: