-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS IRSA - Region not being passed from created Client to STS to get JWT #2126
Comments
Thanks for the information! This credential provider is currently not supported in v2, the blog post is not accurate for the versioning, the feature is supported since v3, v3 is modularized and compatible upgrading guide
make sure double checking the core version used : ) |
Hi @cjyclaire - thank you for the swift response :) I did a double check to see what error of
This image was only built very recently (preferring v3 modularisation over v2) As I said, a work-around is to explicitly set |
Thanks for the information, apologies for missing the rest part when I saw the wrong version! The question is about region setting, the default behavior when checking web assume role identities, it's checking ENVs and profile provided. one way to use the default behavior is setting While we currently support this credential provider from config, we don't take in region parameters there, this can be a feature request for supporting that, does this sound good to you? For quick workaround, the credential interface is directly available for use, allowing client configuration. |
I'm running into this same issue. As part of our delivery pipeline we use scripts that handle creating resources in multiple regions, making use of I don't think creating an EC2 client with |
Agreed that this shouldn't raise an error when using web identity credentials. I'll pick up adding a fix for this. |
thanks! |
Please fill out the sections below to help us address your issue
Issue description
IAM Roles for Service Accounts has been released in AWS for Kubernetes clusters running v1.13+
In the linked article, it mentions a minimum version of the Ruby SDK required to interact natively with this service (without manually making a STS call via the command line and setting env variables) is
Ruby 2.11.345
The issue I am seeing is that when I pass a region parameter to instantiate a Client as part of my code, this region is not being passed to the STS call - this error occurs in all three of the clients I have tried (IAM, S3, EC2).
I assume this is something to do with the new handling of the
assume_role_web_identity_credentials
, released by AWS as part of this.When using our original IAM implementation with kube2IAM, the same code does not cause any errors - only when using "IAM roles for Service Accounts"
A workaround, for anyone reading pre-fix, is to set
Aws.config.update({ region: 'region' })
at the start of your code, rather than set it as part of the client, e.gec2 = Aws::EC2::Client.new(region: 'us-west-2')
- but this would not be a solution for large codebases this might affect.Configuration options available
Error:
This PR may be a fix - but I am not sure enough of how the gems work to make that assumption
#2090
Gem name ('aws-sdk', 'aws-sdk-resources' or service gems like 'aws-sdk-s3') and its version
Has been observed using the following gems - but may affect others
aws-sdk-s3 1.48.0
aws-sdk-ec2 1.110.0
aws-sdk-iam 1.30.0
Version of Ruby, OS environment
Ruby 2.5.1
Running on the
ruby:2.5
Docker base imageRunning inside a Kubernetes Cluster with v1.13 and an OIDC provider for IRSA
Code snippets / steps to reproduce
Needs to be using the IRSA features as a pod in AWS EKS or another Cluster.
Causes an issue:
Working scenario:
The text was updated successfully, but these errors were encountered: