Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Credentials Usage #2438

Closed
amimimor opened this issue May 16, 2022 · 3 comments · Fixed by #2459
Closed

AWS Credentials Usage #2438

amimimor opened this issue May 16, 2022 · 3 comments · Fixed by #2459
Assignees
@hhunter-ms
Labels
content/missing-information More information requested or needed

Comments

@amimimor
Copy link
Contributor

What content needs to be created or modified?
All components that utilize AWS services need to be added with a clear note about the correct usage of AWS credentials when defining a component spec for the following scenarios:

  1. If any IAM policy is attached the the running daprd container (standalone or as a container Pod), one must not provide AccessKey and SecretKeys, and AccessToken
  2. If not using any attached IAM policies, use AccessKey, SecretKey & AccessToken

Describe the solution you'd like

Where should the new material be placed?
any document related to AWS components

The associated pull request from dapr/dapr, dapr/components-contrib, or other Dapr code repos

Additional context
It has been observed several times, by the community and by this author, while using the sns/sqs AWS pubsub component, but this is true with any AWS components, that the AWS Go SDK fails to authorize access when the user passes in accessKey and secretKey in situations where the daprd process had already been granted an IAM policy through the various mechanisms of policy attachments. This results in calls to AWS assets to fail on authorization and crash the boot process of the component.

The AWS library behavior could have been more verbose to its users but it doesn't so it might be tricky for users as they naively don't see a reason why their provided, working access and secret keys fail to allow them using the Dapr AWS components in such cases
@amimimor amimimor added the content/missing-information More information requested or needed label May 16, 2022
@msfussell
Copy link
Member

@amimimor - This is a really important clarification to make and I suggest that we get this into the docs at least for now, whilst determining if there is anything that we can do upstream in Component-contrib and also the AWS Go SDK. Would you be able to suggest wording that we can add in a PR, and then we can determine how to roll this out to each of the AWS components.

@amimimor
Copy link
Contributor Author

Suggestion for wording:

"When running the Dapr sidecar (daprd) with your application on EKS (AWS Kuberentes) and the node/pod you're using had already been attached to an IAM policy defining access to AWS resources, you must not provide AWS access-key and secret-key (as well as tokens) in the definition of the Component spec you're using."

@msfussell
Copy link
Member

@hhunter-ms - Would you be able to apply this wording to all AWS components?

@hhunter-ms hhunter-ms mentioned this issue May 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hhunter-ms hhunter-ms

Labels
content/missing-information More information requested or needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[AWS components] Add note for AWS K8s components hhunter-ms/docs
3 participants
@amimimor @msfussell @hhunter-ms