S3 Controller and Minio

[yaroslavkasatikov]

Hi team,

Would it be possible to configure s3-controller and MiniO (or other s3 solution)?

I tried to change endpoint URL but got error:

2022-10-15T18:55:56.183Z ERROR setup Unable to create controller manager {"aws.service": "s3", "error": "unable to determine account ID: unable to get caller identity: InvalidClientTokenId: The security token included in the request is invalid.\n\tstatus code: 403, request id: f755d445-9b92-48c5-bad7-1137a8cd0cb0"}

I started it with the following variables:

containers:
      - args:
        - --aws-endpoint-url
        - $(AWS_ENDPOINT_URL)
        - --enable-development-logging
        - $(ACK_ENABLE_DEVELOPMENT_LOGGING)
        - --log-level
        - $(ACK_LOG_LEVEL)
        - --resource-tags
        - $(ACK_RESOURCE_TAGS)
        - --watch-namespace
        - $(ACK_WATCH_NAMESPACE)
        command:
        - ./bin/controller
        env:
        - name: ACK_SYSTEM_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: AWS_ENDPOINT_URL
          value: http://172.30.16.228
        - name: ACK_WATCH_NAMESPACE
        - name: ACK_ENABLE_DEVELOPMENT_LOGGING
          value: "false"
        - name: ACK_LOG_LEVEL
          value: info
        - name: ACK_RESOURCE_TAGS
          value: services.k8s.aws/controller-version=%CONTROLLER_SERVICE%-%CONTROLLER_VERSION%,services.k8s.aws/namespace=%K8S_NAMESPACE%
        - name: AWS_SHARED_CREDENTIALS_FILE
          value: /var/run/secrets/aws/credentials-file
        - name: AWS_PROFILE
          value: default

My credential file contains default minio root access id and key:

[default]
aws_access_key_id = minio
aws_secret_access_key = minio123

I tried different combination. but faced to the same mistake.

I 'm using this: public.ecr.aws/aws-controllers-k8s/s3-controller:v0.1.4

Thanks!

[a-hilaly]

Hi @yaroslavkasatikov i'm not sure but I don't think that minio and s3 control plane APIs are compatible... or maybe i'm wrong? s3-controller is expected to talk to the s3 API.

[danielloader]

It should work, at least well enough for provisioning buckets.

[RedbackThomson]

I am not sure what you are trying to achieve here. The MinIO APIs are meant to be compatible with S3's object storage APIs. The ACK S3 controller is not compatible with either of those. The ACK S3 controller is meant to CRUD S3 buckets. However, the buckets that the S3 controller creates (regular S3 buckets) are compatible with MinIO.

2022-10-15T18:55:56.183Z ERROR setup Unable to create controller manager {"aws.service": "s3", "error": "unable to > determine account ID: unable to get caller identity: InvalidClientTokenId: The security token included in the request is > invalid.\n\tstatus code: 403, request id: f755d445-9b92-48c5-bad7-1137a8cd0cb0"}

This error implies that the credentials you are trying to use to access the AWS S3 APIs are invalid.

[default]
aws_access_key_id = minio
aws_secret_access_key = minio123

These credentials are not valid IAM role/user credentials and so the S3 controller is trying to assume these to access the AWS APIs.

[ack-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

[ack-bot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle rotten