You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The service broker, deployed on AWS EKS and having their Service Account object annotated with the metadata eks.amazonaws.com/role-arn: <my-role-arn> does not use it, instead falling back to EC2 instance metadata (which do NOT have the right permissions) and therefore failing to start with a bunch of Access Denied errors.
To Reproduce
Deploy the service broker on EKS with IRSA enabled and add the proper role annotation.
Expected behavior
The AWS SDK used by the service broker should authenticate using the web identity token injected by EKS
Screenshots
The assumed-role is the EKS instance role, the target_role is the actual service account role that should be used
Environment (please complete the following information):
Application Platform: Kubernetes (AWS EKS)
Application Platform Version: 1.18.9
Broker Version 1.0.2
Additional context
I see that in pkg/broker/aws_sdk.go the EC2 instance role is being explicitly configured instead of relying on the SDK default credential chain. My suspect is that this is preventing the SDK to fallback to the Web Identity authentication method
The text was updated successfully, but these errors were encountered:
Describe the bug
The service broker, deployed on AWS EKS and having their Service Account object annotated with the metadata
eks.amazonaws.com/role-arn: <my-role-arn>does not use it, instead falling back to EC2 instance metadata (which do NOT have the right permissions) and therefore failing to start with a bunch ofAccess Deniederrors.To Reproduce
Deploy the service broker on EKS with IRSA enabled and add the proper role annotation.
Expected behavior
The AWS SDK used by the service broker should authenticate using the web identity token injected by EKS
Screenshots
The
assumed-roleis the EKS instance role, thetarget_roleis the actual service account role that should be usedEnvironment (please complete the following information):
Additional context
I see that in pkg/broker/aws_sdk.go the EC2 instance role is being explicitly configured instead of relying on the SDK default credential chain. My suspect is that this is preventing the SDK to fallback to the Web Identity authentication method
The text was updated successfully, but these errors were encountered: