Open iguyking opened 2 years ago
Hi @iguyking,
Good morning.
Could you please confirm the following:
AWS_ROLE_ARN
.AWS_WEB_IDENTITY_TOKEN_FILE
.Some issues are resolved after cluster upgrade as was the case in https://github.com/aws/aws-sdk-net/issues/1615.
Thanks, Ashish
EKS version is 1.20
AWS_ROLE_ARN & AWS_WEB_IDENTITY_TOKEN_FILE are set and work properly for the python based aws cli commands.
I ran the aws cli & powershell commands in the same OS/same docker container session.
That ticket is around Windows based OSes. This is from an ubuntu 20.04 image.
What can I help give you to see this work or not work?
Update:
EKS version 1.21.5-20211117 Powershell 7.2.0 Using Ubuntu 20.04.3 LTS.
Still not working where the aws python works.
PS /> import-module AWSPowershell.NetCore
PS /> gci env:A*
Name Value
---- -----
AWS_ROLE_ARN arn:aws:iam::123423341127:role/powershell-test-role
AWS_WEB_IDENTITY_TOKEN_FILE /var/run/secrets/eks.amazonaws.com/serviceaccount/token
AWS_DEFAULT_REGION us-west-2
AWS_REGION us-west-2
PS /> Get-STSCallerIdentity | select *
LoggedAt : 11/23/2021 22:54:09
Account : 123423341127
Arn : arn:aws:sts::123423341127:assumed-role/team2021111722262155740000000e/i-00e0324c06a60e198
UserId : AXOAQWCVGYJDSCMQZGHOP:i-00e0324c06a60e198
ResponseMetadata : Amazon.Runtime.ResponseMetadata
ContentLength : 486
HttpStatusCode : OK
PS /> aws sts get-caller-identity
{
"UserId": "AXOAQWCVGYJDTJRFCNTOS:botocore-session-1637708010",
"Account": "123423341127",
"Arn": "arn:aws:sts::123423341127:assumed-role/powershell-test-role/botocore-session-1637708010"
}
PS /> $PSVersionTable
Name Value
---- -----
PSVersion 7.2.0
PSEdition Core
GitCommitId 7.2.0
OS Linux 5.4.156-83.273.amzn2.x86_64 #1 SMP Sat Oct 30 12:59:07 UTC 2021
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
PS /> cat /etc/issue
Ubuntu 20.04.3 LTS \n \l
Create a new role called powershell-test-role in the account & update the trust to match your EKS cluster for IRSA powershell-test-role-trust.json.txt
Setup a standard EKS Cluster Use this set of YAML (update the role ARN in the ServiceAccount powershell-test.yaml.txt
Connect in over kubectl exec Run
apt-get update
apt-get -y install ca-certificates unzip curl git gnupg apt-transport-https pkg-config
curl https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb --output packages.deb
dpkg -i ./packages.db
apt-get update
apt-get install powershell
pwsh -c Install-Module -Name AWSPowerShell.NetCore -Repository PSGallery -Force -ErrorAction Stop
pwsh
import-module AWSPowershell.NetCore
Get-STSCallerIdentity
Reproducible with output of Get-STSCallerIdentity
different from aws sts get-caller-identity
.
STEPS:
Create cluster with Ubuntu 20.04 LTS
and with IAM OIDC associated.
eksctl create cluster --name ubuntu-powershell-test --version 1.21 --node-ami-family=Ubuntu2004 --with-oidc
Namespace is kube-system
. Use this in subsequent commands and deployment templates.
Create IAM Service Account:
eksctl create iamserviceaccount --name my-serviceaccount --namespace kube-system --cluster ubuntu-powershell-test --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess --approve
Use the below template and execute command kubectl apply -f ubuntu-powershell-test.yaml
:
apiVersion: apps/v1
kind: Deployment
metadata:
name: ubuntu
labels:
app: ubuntu
namespace: kube-system
spec:
selector:
matchLabels:
app.kubernetes.io/name: ubuntu
replicas: 1
template:
metadata:
name: ubuntu
labels:
app.kubernetes.io/name: ubuntu
spec:
serviceAccountName: "my-serviceaccount"
nodeSelector:
beta.kubernetes.io/arch: amd64
containers:
- name: ubuntu
image: "ubuntu:20.04"
imagePullPolicy: Always
command: ["/bin/sh"]
args: ["-c", "while true; do echo hello; sleep 10;done"]
Watch for pod creation in the namespace using command
kubectl get pods --namespace kube-system -o wide --watch
Once the Ubuntu pod is created, open interactive session on Ubuntu node using command kubectl exec --stdin --tty ubuntu-56c5bf5cf6-68hdp --namespace kube-system -- /bin/bash
On the connected Ubuntu pod,
apt-get update
apt-get -y install ca-certificates unzip curl git gnupg apt-transport-https pkg-config
curl https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb --output packages.deb
dpkg -i ./packages.deb
apt-get update
apt-get install powershell
pwsh -c Install-Module -Name AWSPowerShell.NetCore -Repository PSGallery -Force -ErrorAction Stop
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install
env | grep AWS
:
AWS_ROLE_ARN=arn:aws:iam::<<ACCOUNT-ID>>:role/eksctl-ubuntu-powershell-test-addon-iamservi-Role1-1ENWEJZZEEZNE
AWS_DEFAULT_REGION=us-east-2
AWS_REGION=us-east-2
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
aws sts get-caller-identity
in the connected pod and examine the output:
{
"UserId": "AROASA6NRDFTRA3E5WHQ2:botocore-session-1643830450",
"Account": "139480602983",
"Arn": "arn:aws:sts::<<ACCOUNT-ID>>:assumed-role/eksctl-ubuntu-powershell-test-addon-iamservi-Role1-1ENWEJZZEEZNE/botocore-session-1643830450"
}
Get-STSCallerIdentity
:
pwsh
Import-Module AWSPowershell.NetCore
Get-STSCallerIdentity | select *
It produces the below output:
LoggedAt : 02/02/2022 11:34:44
Account : 139480602983
Arn : arn:aws:sts::<<ACCOUNT-ID>>:assumed-role/eksctl-ubuntu-powershell-test-nod-NodeInstance
Role-3H8K5EYL8LDE/i-0357f9a442d1eeba4
UserId : AROASA6NRDFTWYT5EEQAO:i-0357f9a442d1eeba4
ResponseMetadata : Amazon.Runtime.ResponseMetadata
ContentLength : 508
HttpStatusCode : OK
Notice that output of aws sts get-caller-identity
is pointing to the value specified by environment variable AWS_ROLE_ARN
. Whereas the output of Get-STSCallerIdentity
is pointing to node instance role.
I encountered the same issue and managed to find a workaround:
Import-Module AWSPowershell.NetCore
$AWS_CREDS = Use-STSWebIdentityRole -RoleArn $env:AWS_ROLE_ARN -RoleSessionName $env:HOSTNAME -WebIdentityToken $(gc $env:AWS_WEB_IDENTITY_TOKEN_FILE) -Select 'Credentials'
Set-AWSCredential -Credential $AWS_CREDS
Get-STSCallerIdentity
Haven't refactored my workload yet, but I guess I would need to implement logic to ensure the creds are periodically updated.
I encountered the same issue and managed to find a workaround:
Import-Module AWSPowershell.NetCore $AWS_CREDS = Use-STSWebIdentityRole -RoleArn $env:AWS_ROLE_ARN -RoleSessionName $env:HOSTNAME -WebIdentityToken $(gc $env:AWS_WEB_IDENTITY_TOKEN_FILE) -Select 'Credentials' Set-AWSCredential -Credential $AWS_CREDS Get-STSCallerIdentity
Haven't refactored my workload yet, but I guess I would need to implement logic to ensure the creds are periodically updated.
Thanks so much, abstrask! This worked, but still weird why we have to do this.
I end up adding this to my scripts so I can still run them both in pods or on EC2 instances.
## Fix some weird problem when running inside a AWS EKS pod IAM it not pick up pod role base
if ( $env:AWS_ROLE_ARN -ne $null -and $env:AWS_WEB_IDENTITY_TOKEN_FILE -ne $null ) {
## We are running in AWS EKS using POD base IAM so we have to help get the pod role base working
$AWS_CREDS = Use-STSWebIdentityRole -RoleArn $env:AWS_ROLE_ARN -RoleSessionName $env:HOSTNAME -WebIdentityToken $(gc $env:AWS_WEB_IDENTITY_TOKEN_FILE) -Select 'Credentials'
Set-AWSCredential -Credential $AWS_CREDS
}
Description
Attempting to utilize AWS Powershell Netcore tooling with EKS using IRSA credentials which supply the AWS_WEB_IDENTITY_TOKEN_FILE environment variable and file for getting credentials for a kubernetes pod. When making calls such as Use-STSCallerIdentity, the AWS cmdlets do not find the Web Identity Token information. Instead it is defaulting to the node's instance profile.
Reproduction Steps
Create a basic Ubuntu Docker Image with .NET 5 (latest) and Powershell Core downloaded.
Install AWSPowershell.NetCore version 4.1.15.0. Setup EKS with the recommended IRSA configuration and assign this role to the deployment pod in question Run
Get-STSCallerIdentity
This will return the node's IAM role, not the Pods.
AWS CLI will return correctly:
Powershell call will return
Environment
Resolution
This is a :bug: bug-report