0xlen
commented
3 years ago Looks like relates to https://github.com/aws/aws-sdk-js-v3/issues/2176
I think you can try to explicitly specify the Credential Provider with @aws-sdk/credential-provider-web-identity, it gives the example below:
A basic example of using fromTokenFile:
import { getDefaultRoleAssumerWithWebIdentity } from "@aws-sdk/client-sts"; import { fromTokenFile } from "@aws-sdk/credential-provider-web-identity"; const client = new FooClient({ credentials: fromTokenFile({ roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity() }); });
I deployed following code with v3.13 in my EKS cluster with IRSA feature enabled, and everything looks good to me.
// Import required AWS SDK clients and commands for Node.js
const { S3Client, PutObjectCommand, CreateBucketCommand } = require("@aws-sdk/client-s3");
const { getDefaultRoleAssumerWithWebIdentity } = require("@aws-sdk/client-sts");
const { fromTokenFile } = require("@aws-sdk/credential-provider-web-identity");
// Set the AWS region
const REGION = "us-east-1"; // e.g., "us-east-1"
// Set the bucket parameters
const bucketName = "my-bucket";
const bucketParams = { Bucket: bucketName };
// Create name for uploaded object key
const keyName = "hello_world.txt";
const objectParams = { Bucket: bucketName, Key: keyName, Body: "Hello World!" };
// Create an S3 client service object
const s3 = new S3Client({
region: REGION,
credentials: fromTokenFile({
roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity()
})
});
const run = async () => {
// Create S3 bucket
try {
const data = await s3.send(new CreateBucketCommand(bucketParams));
console.log("Success. Bucket created.");
} catch (err) {
console.log("Error", err);
}
try {
const results = await s3.send(new PutObjectCommand(objectParams));
console.log("Successfully uploaded data to " + bucketName + "/" + keyName);
} catch (err) {
console.log("Error", err);
}
};
run();
sunnynature
github-actions[bot]
Describe the bug
AWS-SDK-JS V3 not use IRSA role but use default EC2 role.
Your environment
SDK version number
Neither of the following can work:
@aws-sdk/client-appconfig@3.7.0@aws-sdk/client-appconfig@3.10.0@aws-sdk/client-appconfig@3.13.0Is the issue in the browser/Node.js/ReactNative?
Node.js
Details of the browser/Node.js/ReactNative version
node -v v12.16.3
Steps to reproduce
Inside a pod in EKS with AWS_WEB_IDENTITY_TOKEN_FILE defined as a file with a token for the service account, execute the following script with node.js:
const { AppConfigClient, ListApplicationsCommand } = require("@aws-sdk/client-appconfig"); (async () => { const appconfig = new AppConfigClient({ region: 'us-east-1' }); const command = new ListApplicationsCommand({MaxResults: 20}); try { const data = await appconfig.send(command); console.log(data); } catch (err) { console.error(err, err.stack); } })();
Observed behavior
$ node reproduce_test.js AccessDeniedException: User: {default EC2 role} is not authorized to perform: appconfig:ListApplications on resource: {AppConfig Resource} at deserializeAws_restJson1ListApplicationsCommandError ...
Expected behavior
The service account role should be used and returned no Credential error. However, the default EC2 role is used and returned Credential error.