-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.7 dev] AWS Plugins can not connect to AWS services #2927
Comments
@PettitWesley can you try a new fresh build from GIT master (using the latest changes) ? |
As of yesterday, we saw the same issue. CC @zhonghui12 |
Hi @edsiper, we still face the same issue:
|
I am trying to reproduce this locally. Would you please instruct me how to setup the authentication properly using the following config snippet ?
|
Having this issue with fluent/fluent-bit:1.7 image
Works with 1.6.10
|
Documentation on credentials / authentication / authorization seems to be very light or not altogether there: I'm having similar issues as described above using IRSA on an EKS Cluster. Pods are annotated with what Amazon expects to provision the environment with the AWS_ROLE_ARN and WEB_IDENTITY_TOKEN_FILE, but that doesn't seem to be picked up by the plugin without additional configuration. Those values seem to be for the AWS CLI as well. Using Helm Charts to install Fluent-Bit 1.7.2 distroless. Edit: Scanning the code base does show that those environment variables are within consideration; I'm investigating if it's something tied to permissions & restrictions I'm unaware of in the AWS Account. But documentation would still be helpful! |
@TDanielsHL There's no documentation because the AWS Fluent Bit plugins are supposed to support IAM Roles for Service accounts, and all other standard methods for retrieving AWS credentials. It should work in any setup where any tools using one of the standard AWS SDKs would work. The code in fluent bit is not a standard AWS SDK, its custom, but it's meant to be identical in behavior. May be we could add a note in the docs which states that and lists the standard order of resolution for credential sources. I wish the official AWS documentation had some sort of nice explainer on all the standard credential sources and how each one works. Then we could just link to that. If you think you've found a bug here, give us more details. |
@PettitWesley Thank you for the response. I don't think it's a bug with the plugin after digging in and getting debug logging working. We did have to dig to find documentation about credentials and how it is sourced; if things work out of the box (and they can), all's well, but if it doesn't, it's helpful to have handy. I did see the order of operations on credential sourcing, and we believe our IRSA problems are related to the AWS Account rather than the plugin. Still, not to beat this over the head, how the plugin ties into these systems if things don't work out of the box would be Nice to Have. |
are you able to help me with this one please
|
@michaelm-88 I think its the quotes in your group name. |
Hi @PettitWesley, @michaelm-88 @TDanielsHL This is also happening when using aws-for-fluent-bit helm chart |
Master only, not released
Requests to S3 do not seem to work:
Which comes from here: https://github.com/fluent/fluent-bit/blob/master/src/aws/flb_aws_util.c#L273
I see the same errors in all AWS plugins:
The text was updated successfully, but these errors were encountered: