s3.upload does not re-use IRSA temporary credentials #3481
Comments
jacknagel
added
bug
|
according to https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html, it should work starting at 2.521.0 🤔 I did experience the same thing though. I'm on 2.658.0. |
|
there might be an error in the doc as https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md#25230 seems to be where it was released... |
|
To be clear, this issue is not about IRSA support in general - we use it extensively with this SDK and it works fine. This is specifically about |
|
@jacknagel thx for clarifying. I suppose that, in my case, the problem comes from the fact that https://github.com/outline/outline/blob/2c1a111dee9dc55134bd5853f8e10e4017bb694e/server/utils/s3.js#L17 is passing the credential to the SDK instead of letting the SDK trying to find the right credentials? Is that right? I'm kinda new to node SDK but I do think python SDK works like that. |
|
I don't know, but continuing to troubleshoot your problem in this issue is just confusing things with the bug I've reported. Open your own ticket, please. |
ajredniwja
added
the
investigating
|
Hey @jacknagel thanks for opening this issue and apologies for delayed response, I am not quite able to reproduce the issue using the code example as both the calls use |
ajredniwja
added
the
response-requested
In the provided example, upload calls putObject directly due to the small file size, but that doesn't change the outcome.
I have the SDK configured to log to the console, and the STS API calls are logged. As I mentioned, this occurs when using token file credentials (i.e., the underlying API call is When I run the example code in our EKS clusters, I see the following (secrets redacted, of course). For the first loop (calling putObject), there is a single assumeRoleWithWebIdentity request, and then five putObject requests. For the second loop (calling upload), there is a separate assumeRoleWithWebIdentity request made before each of the underlying putObject calls. |
github-actions
bot
removed
the
response-requested
|
@ajredniwja I've tracked down why this is happening. It's this line: aws-sdk-js/lib/s3/managed_upload.js Line 287 in 54f8555 s3.upload is called (since each call creates a new ManagedUpload client).
If I change it from It was changed in this commit: e8f040e, so I'm not sure what the correct fix is. |
|
@AllanZhengYP This change: e8f040e (#3109) altered the behavior of This bug is currently blocking us from fully rolling out EKS IRSA to our apps. |
|
I am also trying to implement IRSA on my cluster. I am able to request for the After that, when I use However, when I use |
trivikr
removed
needs-triage
|
@AllanZhengYP Thanks for working on the fix. Unfortunately, it doesn't seem to have fully solved the problem. If I run the following script: const AWS = require('aws-sdk')
const { randomBytes } = require('crypto')
AWS.config.update({
logger: console
})
console.log('AWS SDK version: ' + AWS.VERSION)
const s3 = new AWS.S3({
apiVersion: '2006-03-01',
params: {
Bucket: '<REDACTED>'
}
});
(async function() {
for (let i = 0; i < 3; i++) {
const key = randomBytes(32).toString('hex')
await s3.upload({ Key: key, Body: Buffer.from('test') }).promise()
}
})()I still see credentials being re-fetched on every call to Any ideas? |
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug
When using IAM roles for service accounts in EKS, new credentials are requested from STS on each call to
s3.upload.We noticed a service making a large number of AssumeRoleWithWebIdentity requests to STS. After investigating, it was determined that the returned credentials do not appear to be re-used across multiple calls to
s3.upload.Is the issue in the browser/Node.js?
Node.js
If on Node.js, are you running this on AWS Lambda?
No
Details of the browser/Node.js version
v12.18.0
SDK version number
v2.767.0
To Reproduce (observed behavior)
This code demonstrates the issue (you must be using IRSA, of course).
Expected behavior
Credentials are cached and re-used across all API calls until they expire.
Additional context
Our service performs additional S3 operations (getObject, deleteObject) and the temporary credentials appear to be re-used appropriately.
The text was updated successfully, but these errors were encountered: