Closed sunnynature closed 3 years ago
Looks like relates to https://github.com/aws/aws-sdk-js-v3/issues/2176
I think you can try to explicitly specify the Credential Provider with @aws-sdk/credential-provider-web-identity, it gives the example below:
A basic example of using fromTokenFile:
import { getDefaultRoleAssumerWithWebIdentity } from "@aws-sdk/client-sts"; import { fromTokenFile } from "@aws-sdk/credential-provider-web-identity"; const client = new FooClient({ credentials: fromTokenFile({ roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity() }); });
I deployed following code with v3.13 in my EKS cluster with IRSA feature enabled, and everything looks good to me.
// Import required AWS SDK clients and commands for Node.js
const { S3Client, PutObjectCommand, CreateBucketCommand } = require("@aws-sdk/client-s3");
const { getDefaultRoleAssumerWithWebIdentity } = require("@aws-sdk/client-sts");
const { fromTokenFile } = require("@aws-sdk/credential-provider-web-identity");
// Set the AWS region
const REGION = "us-east-1"; // e.g., "us-east-1"
// Set the bucket parameters
const bucketName = "my-bucket";
const bucketParams = { Bucket: bucketName };
// Create name for uploaded object key
const keyName = "hello_world.txt";
const objectParams = { Bucket: bucketName, Key: keyName, Body: "Hello World!" };
// Create an S3 client service object
const s3 = new S3Client({
region: REGION,
credentials: fromTokenFile({
roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity()
})
});
const run = async () => {
// Create S3 bucket
try {
const data = await s3.send(new CreateBucketCommand(bucketParams));
console.log("Success. Bucket created.");
} catch (err) {
console.log("Error", err);
}
try {
const results = await s3.send(new PutObjectCommand(objectParams));
console.log("Successfully uploaded data to " + bucketName + "/" + keyName);
} catch (err) {
console.log("Error", err);
}
};
run();
Thanks very much, it works for me.
Hi @0xlen , can the package @aws-sdk/credential-provider-web-identity work for browser side, too? I hit the following error when using the package in browser. I tried to fix the error by adding section "node: { fs: 'empty' }" to webpack.config.js, however it would introduced new error in runtime. So I wonder whether and how the package can be used in brower, thanks!
Uncaught Error: Cannot find module 'fs' at webpackMissingModule (fromTokenFile.js?090b:1) at Module.eval (fromTokenFile.js?090b:1) at eval (fromTokenFile.js:32) at Module../node_modules/@aws-sdk/credential-provider-web-identity/dist/es/fromTokenFile.js (vendors.7fb424522b4763d7504bc27685f423ff.js:23384) at webpack_require__ (runtime.4c51f36a57a4920e51bf4367a5e3d9a3.js:849) at fn (runtime.4c51f36a57a4920e51bf4367a5e3d9a3.js:151) at eval (index.js?fa69:1) at Module../node_modules/@aws-sdk/credential-provider-web-identity/dist/es/index.js (vendors.7fb424522b4763d7504bc27685f423ff.js:23396) at webpack_require__ (runtime.4c51f36a57a4920e51bf4367a5e3d9a3.js:849) at fn (runtime.4c51f36a57a4920e51bf4367a5e3d9a3.js:151)
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.
Describe the bug
AWS-SDK-JS V3 not use IRSA role but use default EC2 role.
Your environment
SDK version number
Neither of the following can work:
@aws-sdk/client-appconfig@3.7.0
@aws-sdk/client-appconfig@3.10.0
@aws-sdk/client-appconfig@3.13.0
Is the issue in the browser/Node.js/ReactNative?
Node.js
Details of the browser/Node.js/ReactNative version
node -v v12.16.3
Steps to reproduce
Inside a pod in EKS with AWS_WEB_IDENTITY_TOKEN_FILE defined as a file with a token for the service account, execute the following script with node.js:
const { AppConfigClient, ListApplicationsCommand } = require("@aws-sdk/client-appconfig"); (async () => { const appconfig = new AppConfigClient({ region: 'us-east-1' }); const command = new ListApplicationsCommand({MaxResults: 20}); try { const data = await appconfig.send(command); console.log(data); } catch (err) { console.error(err, err.stack); } })();
Observed behavior
$ node reproduce_test.js AccessDeniedException: User: {default EC2 role} is not authorized to perform: appconfig:ListApplications on resource: {AppConfig Resource} at deserializeAws_restJson1ListApplicationsCommandError ...
Expected behavior
The service account role should be used and returned no Credential error. However, the default EC2 role is used and returned Credential error.