awslabs / amazon-kinesis-client-nodejs

Amazon Kinesis Client Library for Node.js
Apache License 2.0
297 stars 206 forks source link

KCL consumer on kubernetes does not pick up IAM role via serviceAccount. #79

Open yogesh8177 opened 3 years ago

yogesh8177 commented 3 years ago

Deploying KCL consumer via kubernetes on aws EKS service does not pick up IAM role from serviceAccount with AWSCredentialsProvider = DefaultAWSCredentialsProviderChain, instead it uses node level role.

Following environment variables are present in the service, however it still doesn't seem to pick it up. However it works when I provide AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

AWS_DEFAULT_REGION=<region>
AWS_REGION=<region>
AWS_ROLE_ARN=<role-arn>
AWS_WEB_IDENTITY_TOKEN_FILE=<token-path>
gmaghera commented 3 years ago

We are bumping into this too. https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/ is something we have asked our engineering teams to follow, but it seems to conflict with the lack of support here.

Is there maybe some setting that would result in the IAM role for service account getting seen by aws-kcl?