You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The Conductor components which make use of the AWS SDK (i.e. conductor-awssqs-event-queue etc.) will currently not assume an IAM role which is associated with a Kubernetes service account. Enabling the AWS SDK debug logs reveals that the WebIdentityTokenCredentialsProvider credentials provider is not being included as part of the DefaultAWSCredentialsProviderChain:
c.a.a.AWSCredentialsProviderChain : Unable to load credentials from EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY))
c.a.a.AWSCredentialsProviderChain : Unable to load credentials from SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey)
c.a.a.AWSCredentialsProviderChain : Unable to load credentials from com.amazonaws.auth.profile.ProfileCredentialsProvider@109f8c7e: profile file cannot be null
c.a.a.AWSCredentialsProviderChain : Loading credentials from com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@75156240
Expected behavior
The WebIdentityTokenCredentialsProvider should be used to assume the IAM role and these credentials should be used for all AWS SDK requests.
Describe the bug
The Conductor components which make use of the AWS SDK (i.e.
conductor-awssqs-event-queue
etc.) will currently not assume an IAM role which is associated with a Kubernetes service account. Enabling the AWS SDK debug logs reveals that the WebIdentityTokenCredentialsProvider credentials provider is not being included as part of the DefaultAWSCredentialsProviderChain:Details
Conductor version: Snapshot (main at fec3116)
Persistence implementation: Postgres
Queue implementation: Postgres, Dynoqueues, SQS
To Reproduce
Steps to reproduce the behaviour:
docker/server
Expected behavior
The WebIdentityTokenCredentialsProvider should be used to assume the IAM role and these credentials should be used for all AWS SDK requests.
Additional context
In our AWS EKS cluster we use IAM roles for service accounts which means making use of the WebIdentityTokenCredentialsProvider credentials provider. It turns out that the current version of the AWS SDK used by Conductor is 1.11.86, however the minimum supported version to support the WebIdentityTokenCredentialsProvider provider is 1.11.704. I've upgraded our fork to use the latest 1.11 version (which is currently 1.11.1034) and this seems to resolve the issue. It's worth noting that as part of this change you also need to make sure that
com.amazonaws:aws-java-sdk-sts
is included in the class path at runtime.The text was updated successfully, but these errors were encountered: