Open vipan06 opened 2 months ago
By the looks of it you don't have the token inject by the Webhook. The amazon-eks-pod-identity
webhook adds the token in this file /var/run/secrets/eks.amazonaws.com/serviceaccount/token
Please check these env vars is populated AWS_WEB_IDENTITY_TOKEN_FILE
and AWS_ROLE_ARN
. If you don't see these env vars that means the webhook is not doing what it supposed to do. Then next place to look is the Service Account itself. Make sure that you have right annotation.
What happened: We are using EKS pod identity agent to grant RDS access for a pod. For testing purpose, we have attached S3 full access to the IAM role and when we run aws s3 ls command from pod it says :
Further on investigation, we found the below error:
The pod is deployed in namespace vipan and the service account is pod-identity. When we describe the sa, it is empty.
We followed this doc https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html to setup the EKS pod identity and ideally, AWS or EKS should add the details in the Service account. What you expected to happen: The pod should be able to access the S3. How to reproduce it (as minimally and precisely as possible): Setup the EKS pod identity agent following the doc https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html Installed the add-on + Created an VPC endpoint for eks-auth + Created a role, namespace, service account + Attached that SA to a pod Anything else we need to know?: NA Environment:
aws eks describe-cluster --name <name> --query cluster.platformVersion
): eks.5aws eks describe-cluster --name <name> --query cluster.version
): 1.29