-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
s3.upload does not re-use IRSA temporary credentials #3481
Comments
according to https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html, it should work starting at 2.521.0 🤔 I did experience the same thing though. I'm on 2.658.0. |
there might be an error in the doc as https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md#25230 seems to be where it was released... |
To be clear, this issue is not about IRSA support in general - we use it extensively with this SDK and it works fine. This is specifically about |
@jacknagel thx for clarifying. I suppose that, in my case, the problem comes from the fact that https://github.com/outline/outline/blob/2c1a111dee9dc55134bd5853f8e10e4017bb694e/server/utils/s3.js#L17 is passing the credential to the SDK instead of letting the SDK trying to find the right credentials? Is that right? I'm kinda new to node SDK but I do think python SDK works like that. |
I don't know, but continuing to troubleshoot your problem in this issue is just confusing things with the bug I've reported. Open your own ticket, please. |
Hey @jacknagel thanks for opening this issue and apologies for delayed response, I am not quite able to reproduce the issue using the code example as both the calls use |
In the provided example, upload calls putObject directly due to the small file size, but that doesn't change the outcome.
I have the SDK configured to log to the console, and the STS API calls are logged. As I mentioned, this occurs when using token file credentials (i.e., the underlying API call is When I run the example code in our EKS clusters, I see the following (secrets redacted, of course). For the first loop (calling putObject), there is a single assumeRoleWithWebIdentity request, and then five putObject requests. For the second loop (calling upload), there is a separate assumeRoleWithWebIdentity request made before each of the underlying putObject calls.
|
@ajredniwja I've tracked down why this is happening. It's this line: aws-sdk-js/lib/s3/managed_upload.js Line 287 in 54f8555
s3.upload is called (since each call creates a new ManagedUpload client).
If I change it from It was changed in this commit: e8f040e, so I'm not sure what the correct fix is. |
@AllanZhengYP This change: e8f040e (#3109) altered the behavior of This bug is currently blocking us from fully rolling out EKS IRSA to our apps. |
I am also trying to implement IRSA on my cluster. I am able to request for the
After that, when I use
However, when I use |
@AllanZhengYP Thanks for working on the fix. Unfortunately, it doesn't seem to have fully solved the problem. If I run the following script: const AWS = require('aws-sdk')
const { randomBytes } = require('crypto')
AWS.config.update({
logger: console
})
console.log('AWS SDK version: ' + AWS.VERSION)
const s3 = new AWS.S3({
apiVersion: '2006-03-01',
params: {
Bucket: '<REDACTED>'
}
});
(async function() {
for (let i = 0; i < 3; i++) {
const key = randomBytes(32).toString('hex')
await s3.upload({ Key: key, Body: Buffer.from('test') }).promise()
}
})() I still see credentials being re-fetched on every call to
Any ideas? |
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug
When using IAM roles for service accounts in EKS, new credentials are requested from STS on each call to
s3.upload
.We noticed a service making a large number of AssumeRoleWithWebIdentity requests to STS. After investigating, it was determined that the returned credentials do not appear to be re-used across multiple calls to
s3.upload
.Is the issue in the browser/Node.js?
Node.js
If on Node.js, are you running this on AWS Lambda?
No
Details of the browser/Node.js version
v12.18.0
SDK version number
v2.767.0
To Reproduce (observed behavior)
This code demonstrates the issue (you must be using IRSA, of course).
Expected behavior
Credentials are cached and re-used across all API calls until they expire.
Additional context
Our service performs additional S3 operations (getObject, deleteObject) and the temporary credentials appear to be re-used appropriately.
The text was updated successfully, but these errors were encountered: