Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS SDK not able to assume IAM role for service accounts in Kubernetes #33

Closed
dcopestake opened this issue Jan 4, 2024 · 2 comments
Closed

AWS SDK not able to assume IAM role for service accounts in Kubernetes #33

dcopestake opened this issue Jan 4, 2024 · 2 comments

Comments

@dcopestake
Copy link

Describe the bug
The Conductor components which make use of the AWS SDK (i.e. conductor-awssqs-event-queue etc.) will currently not assume an IAM role which is associated with a Kubernetes service account. Enabling the AWS SDK debug logs reveals that the WebIdentityTokenCredentialsProvider credentials provider is not being included as part of the DefaultAWSCredentialsProviderChain:

c.a.a.AWSCredentialsProviderChain : Unable to load credentials from EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY))
c.a.a.AWSCredentialsProviderChain : Unable to load credentials from SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey)
c.a.a.AWSCredentialsProviderChain : Unable to load credentials from com.amazonaws.auth.profile.ProfileCredentialsProvider@109f8c7e: profile file cannot be null
c.a.a.AWSCredentialsProviderChain : Loading credentials from com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@75156240

Details
Conductor version: Snapshot (main at fec3116)
Persistence implementation: Postgres
Queue implementation: Postgres, Dynoqueues, SQS

To Reproduce
Steps to reproduce the behaviour:

  1. Build server component from main at fec3116 using the Dockerfile from docker/server
  2. Run the server using Docker image as a service in Kubernetes with the pods using a service account with an IAM role associated

Expected behavior
The WebIdentityTokenCredentialsProvider should be used to assume the IAM role and these credentials should be used for all AWS SDK requests.

Additional context
In our AWS EKS cluster we use IAM roles for service accounts which means making use of the WebIdentityTokenCredentialsProvider credentials provider. It turns out that the current version of the AWS SDK used by Conductor is 1.11.86, however the minimum supported version to support the WebIdentityTokenCredentialsProvider provider is 1.11.704. I've upgraded our fork to use the latest 1.11 version (which is currently 1.11.1034) and this seems to resolve the issue. It's worth noting that as part of this change you also need to make sure that com.amazonaws:aws-java-sdk-sts is included in the class path at runtime.
@denniscodes
Copy link
Contributor

As of 3.17.0 the AWS SDK has been updated:
revAwsSdk = '1.12.635'.

Does this help?

@dcopestake
Copy link
Author

Yep @denniscodes, any version post 1.11.704 will resolve this, so I'll close this now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dcopestake @denniscodes