You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
I installed aws-servicebroker chart v1.0.2 on EKS cluster overriding aws.targetrolename setting role name that has permissions sufficient for broker functioning:
EC2 instance role where broker is scheduled allows to assume the target role (sts:AssumeRole).
Despite that broker was not able to read templates from bucket.
I added s3 permissions to EC2 instance role and after that there was an error mesage about lack of permissions to write data into dynamodb.
I added dynamodb permissions to EC2 instance role and after that broker got up.
Looks like broker ignores aws.targetrolename setting. It also visible in logs:
I0402 05:53:06.278954 1 util.go:195] Did not find 'aws_access_key' and 'aws_secret_key' in params, using default chain.
I0402 05:53:06.279039 1 aws_sdk.go:71] Parameter 'target_role_name' not set. Not assuming role.
I0402 05:53:06.279103 1 util.go:195] Did not find 'aws_access_key' and 'aws_secret_key' in params, using default chain.
I0402 05:53:06.279130 1 aws_sdk.go:71] Parameter 'target_role_name' not set. Not assuming role.
I0402 05:53:06.754827 1 awsbroker.go:36] Running as caller identity '{
Account: "<account id>",
Arn: "arn:aws:sts::<account id>:assumed-role/<EC2 instance role>/<EC2 instance id>",
UserId: "<id>"
}'.
I0402 05:53:06.754932 1 util.go:91] "awsservicebroker_all_all_all_region"="<region>"
I0402 05:53:06.754940 1 util.go:91] "awsservicebroker_all_all_all_VpcId"="<vpc id>"
I0402 05:53:06.754947 1 util.go:91] "awsservicebroker_all_all_all_target_role_name"="<target role>"
I0402 05:53:06.754967 1 awsbroker.go:174] Listing objects bucket: <bucket> region: <region> prefix: <dir>
I0402 05:53:06.826370 1 awsbroker.go:193] Found 1b objects
If I understand broker code correctly it works in such a way because of line:
There is hardcoded empty parameters map passed into a function that creates a session (and produces "Parameter 'target_role_name' not set. Not assuming role." message).
I think it is a bug but if I understand configuring broker incorrectly please correct me :)
To Reproduce
create roles like described above
configure ec2 instance role without s3 and dynamodb permissions
Expected behavior
Broker uses role defined via aws.targetrolename parameter for reading templates from s3 bucket and saving data in dynamodb instead of ec2 instance role.
Environment (please complete the following information):
Application Platform: EKS
Application Platform Version: v1.19.6-eks-49a6c0
Broker Version: 1.0.2
The text was updated successfully, but these errors were encountered:
Describe the bug
I installed aws-servicebroker chart v1.0.2 on EKS cluster overriding aws.targetrolename setting role name that has permissions sufficient for broker functioning:
EC2 instance role where broker is scheduled allows to assume the target role (sts:AssumeRole).
Despite that broker was not able to read templates from bucket.
I added s3 permissions to EC2 instance role and after that there was an error mesage about lack of permissions to write data into dynamodb.
I added dynamodb permissions to EC2 instance role and after that broker got up.
Looks like broker ignores aws.targetrolename setting. It also visible in logs:
If I understand broker code correctly it works in such a way because of line:
aws-servicebroker/pkg/broker/awsbroker.go
Line 26 in d5eed7c
There is hardcoded empty parameters map passed into a function that creates a session (and produces "Parameter 'target_role_name' not set. Not assuming role." message).
I think it is a bug but if I understand configuring broker incorrectly please correct me :)
To Reproduce
Expected behavior
Broker uses role defined via aws.targetrolename parameter for reading templates from s3 bucket and saving data in dynamodb instead of ec2 instance role.
Environment (please complete the following information):
The text was updated successfully, but these errors were encountered: