Open shekharpalit opened 1 year ago
Can you please create a Support ticket for this issue? The issue seems specific to your setup.
Can you please create a Support ticket for this issue? The issue seems specific to your setup.
support is not being helpful here can you please guide me what I am missing here and how to resolve this issue ?
We need to understand why it is failing to load AWS credentials document from STS. Can you enable debug logs to know more details around why it fails?
Sometimes the AWS_WEB_IDENTITY_TOKEN_FILE
will be missing if AWS_ROLE_ARN
is manually specified.
By design the EKS pod identity webhook will not overwrite customer-defined AWS_ROLE_ARN/AWS_WEB_IDENTITY_TOKEN_FILE.” https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/pkg/handler/handler.go#L142-L154
AWS Troubleshooting docs: https://docs.aws.amazon.com/app-mesh/latest/userguide/troubleshooting-kubernetes.html#ts-kubernetes-irsa-not-working
This is just one known issue, but not sure what it is in your case. So through support ticket we would be able to get into the details of the issue. Can you please let me know if you already have an open ticket for this issue?
SECURITY NOTICE: If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions here or email AWS security directly.
Summary Our application, running on an AWS EKS cluster using AWS AppMesh, is experiencing connectivity issues. The application's pods are not able to reach out to the internet. We have set the egressFilter in AppMesh to
ALLOW_ALL
and the service account attached to the pods has the necessary IAM policies (AWSCloudMapFullAccess, AWSAppMeshFullAccess, and AWSAppMeshEnvoyAccess)
associated.When checking the logs of the Envoy proxy, we observed the following error message:
We have tried several troubleshooting steps, including verifying the IAM policies, IAM role's trust relationship, service account assignments, system time on the EKS nodes, and more, but the issue persists
The aicronaut app we are trying to run inside the pod after we activate the mesh
This is my yaml file which creates the virtual services, router, nodes
and this is my serviceaccount.yaml file which I am using in the helm
this is enabled in my deployment.yaml file in helm
Note:
Steps to Reproduce
Expected behavior The application should be able to reach out to the internet and not present any STS credential-related errors in the Envoy logs.
Actual behavior The application fails to reach the internet and the Envoy logs present STS credential-related errors.
Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)