Closed james64 closed 1 month ago
Same issue with 2.1216.0
still.
@james64 thanks for opening this issue and apologies it fell out of queue. I am getting a similar error too, I'll investigate more and post my findings.
Running the script with the latest version doesn't error out for me.
{
Expiration: 'expiry-date="Sun, 23 Oct 2022 00:00:00 GMT", rule-id="YzZhYjc4MmEtYTAzNS00ZGY0LWIwYmItYWZhisdhknmsid"',
ETag: '"098f6bcd4621d373cade48789283ef3"',
VersionId: '_WpryRFHXN09GqqtPjDidajojda93'
}
done1
{
Expiration: 'expiry-date="Sun, 23 Oct 2022 00:00:00 GMT", rule-id="YzZhYjc4MmEtYTAzNS00ZGY0LWIwYmItYewiouweiojJHidhoj"',
ETag: '"098f6bcd4621d373cade4e832340940294Kj"',
VersionId: 'AlhdjSKjdkAL9vpBe2235pE6arQPoEN21',
Location: 'https://bucket.us-west-2.amazonaws.com/res/upload',
key: 'res/upload',
Key: 'res/upload',
Bucket: 'bucket'
}
done2
Can you please share the steps you follow for setting up the credentials?
Thanks for trying this out. Our setup:
"oidc.eks.me-south-1.amazonaws.com/id/<clusterid>:sub" = "system:serviceaccount:exampleNs:exampleAccount"
. Attach bucket policy to this role.exampleNs
create exampleAccount
service account and annotate with eks.amazonaws.com/role-arn: <arg_of_oidc_assumable_role>
Then we spin up a pod which just runs ubuntu with long sleep and using example service account. In this pod:
$ apt-get update
$ apt-get install awscli npm vim
$ mkdir test && cd test
$ npm init --yes
$ vim package.json # add dependency for "aws-sdk": "^2.1233.0"
$ vim run.js # copy paste reproduction script verbatim
$ npm install
$ node run.js
... produces same error as stated above ...
(node:9134) UnhandledPromiseRejectionWarning: InvalidToken: The provided token is malformed or otherwise invalid.
$ aws --region me-south-1 s3 cp package.json s3://oneid-doc-sign-prs/
upload: ./package.json to s3://oneid-doc-sign-prs/package.json # upload successful
$ env | grep AWS | grep -o '^.*=' # to see that no other AWS envs are set
AWS_DEFAULT_REGION=
AWS_REGION=
AWS_ROLE_ARN=
AWS_WEB_IDENTITY_TOKEN_FILE=
awscli upload immediately afterwards using irsa credentials worked. Node example script with latest version failed. Do you see any difference between our and your setup?
@ajredniwja any luck replicating the issue? Maybe you can share description of your setup so I can help spotting the difference.
I ran into this issue, I solved it by ensuring that the below environment variables were not set. (we migrated from using the secret key to OIDC) and I had to go unset this in our CI pipeline before succeeding.
AWS_SECRET_KEY AWS_SECRET_ACCESS_KEY
I came to this conclusion based this doc and the order in which things load - https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.html
@BMayhew thanks for the post :+1: However we do not have these envs set. List of aws related envs we set is seen in one of my previous post.
Hi @james64,
I found this issue while combing through our v2 backlog. It sounds like the AssumeRoleWithWebIdentity
that the SDK makes to STS to exchange the OIDC token with a set of credentials is failing (happens under the hood). The SDK's EKS credential provider will attempt to read the token from disk. My guess is that this is either failing to read the token from the file system, or the token is in a format it does not expect.
I'm not sure why this fails and why it works on the CLI, as it is hard to point to the exact point of failure in this flow.
You can do the following:
Finally, I would say consider upgrading to v3. The EKS credential provider is implemented differently, and the SDK offers much better logging capabilities allowing you to do more self debug.
FWIW I just tested it with the v2 SDK on my EKS cluster and it works perfectly:
$ kubectl exec --stdin --tty repro -- /bin/bash
bash-5.2# cd repro/
bash-5.2# cat v2.js
const AWS = require('aws-sdk');
AWS.config.logger = console;
const ssm = new AWS.SSM();
(async () => {
try {
const params = {
Name: 'some-name',
WithDecryption: true
};
const response = await ssm.getParameter(params).promise();
console.log(response);
} catch (error) {
console.log(error);
}
})();
bash-5.2# node v2.js
(node:778) NOTE: The AWS SDK for JavaScript (v2) will enter maintenance mode
on September 8, 2024 and reach end-of-support on September 8, 2025.
Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check blog post at https://a.co/cUPnyil
(Use `node --trace-warnings ...` to show where the warning was created)
[AWS sts 200 0.137s 0 retries] assumeRoleWithWebIdentity({
WebIdentityToken: '***SensitiveInformation***',
RoleArn: 'arn:aws:iam::REDACTED:role/REDACTED',
RoleSessionName: 'token-file-web-identity'
})
[AWS ssm 200 0.191s 0 retries] getParameter({ Name: 'some-name', WithDecryption: true })
{
Parameter: {
Name: 'some-name',
Type: 'String',
Value: 'some-value',
Version: 1,
LastModifiedDate: 2024-07-03T20:13:37.758Z,
ARN: 'arn:aws:ssm:us-east-1:REDACTED:parameter/some-name',
DataType: 'text'
}
}
Let me know how it goes. Ran~
@RanVaknin thanks a lot for digging into this issue. Unfortunately I am no longer with the project where we have encountered this issue. Also I believe the particular service where this happened was migrated to different auth method. I would love to investigate more. But I do not think I can re-create the setup exactly as it was. So let's just close this issue. Thanks again
Describe the bug
This has been already reported (for example #3697) but is closed so I am opening a new one.
Using js aws-sdk with IRSA auth to upload a file to s3 bucket results in
InvalidToken: The provided token is malformed or otherwise invalid.
.Running
aws s3 cp <file> s3://<bucket>
in a pod is sucessfull. Running same cmd using js sdk (see reproduction steps) results in the error.Expected Behavior
Successfull file upload.
Current Behavior
Running reproducing js script (see below) results in this log:
Reproduction Steps
In k8s run pod with IRSA setup. In the pod run the testing js script taken from #3697 using
"aws-sdk": "^2.1164.0"
as dependency:Optionally run same through aws-cli to verify it works.
Possible Solution
No idea to be honest :)
Additional Information/Context
Upload to the bucket is perfectly accessible through all of these methods
SDK version used
2.1164.0
Environment details (OS name and version, etc.)
ubuntu image on top of amazon linux os host. K8s 1.21