Closed PaveLGIL closed 3 months ago
Hello! I have a service account with a role that contains the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": [ "bucket" ], "Sid": "S3ListBuckets" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": [ "bucket/*" ], "Sid": "S3CRUD" }, { "Action": [ "kms:ReEncrypt*", "kms:GetPublicKey", "kms:GenerateDataKey*", "kms:Encrypt", "kms:DescribeKey", "kms:Decrypt" ], "Effect": "Allow", "Resource": "key-arn", "Sid": "KMS" } ] }
My PV:
apiVersion: v1 kind: PersistentVolume metadata: name: {{ .Values.volume.pvcName }}-pv spec: capacity: storage: 1200Gi # ignored, required accessModes: - ReadWriteMany # supported options: ReadWriteMany / ReadOnlyMany mountOptions: - allow-delete - region eu-central-1 csi: driver: s3.csi.aws.com # required volumeHandle: s3-csi-driver-volume volumeAttributes: bucketName: {{ .Values.volume.versions.s3VersionsBucketName }}
My PVC:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ .Values.volume.pvcName }}-claim spec: accessModes: - ReadWriteMany # supported options: ReadWriteMany / ReadOnlyMany storageClassName: "" # required for static provisioning resources: requests: storage: 1200Gi # ignored, required volumeName: {{ .Values.volume.pvcName }}-pv
But I encounter this problem in the logs:
1 node.go:65] NodePublishVolume: req: volume_id:"s3-csi-driver-volume" target_path:"/var/lib/kubelet/pods/420753ac-d284-4e86-bc6f-4083ae1de68c/volumes/kubernetes.io~csi/<volume>/mount" volume_capability:<mount:<mount_flags:"allow-delete" mount_flags:"region eu-central-1" > access_mode:<mode:MULTI_NODE_MULTI_WRITER > > volume_context:<key:"bucketName" value:"bucket" > 1 node.go:112] NodePublishVolume: mounting bucket at /var/lib/kubelet/pods/420753ac-d284-4e86-bc6f-4083ae1de68c/volumes/kubernetes.io~csi/<pv>/mount with options [--allow-delete --region=eu-central-1] 1 driver.go:96] GRPC error: rpc error: code = Internal desc = Could not mount "bucket" at "/var/lib/kubelet/pods/420753ac-d284-4e86-bc6f-4083ae1de68c/volumes/kubernetes.io~csi/<pv>/mount": Mount failed: Failed to start service output: Error: Failed to create S3 client Caused by: 0: initial ListObjectsV2 failed for bucket bucket in region eu-central-1 1: Client error 2: Forbidden: Access Denied Error: Failed to create mount process
Could you please help me with this? <!-- DO NOT EDIT BELOW THIS LINE --> /triage support
Move to bug
Hello! I have a service account with a role that contains the following policy:
My PV:
My PVC:
But I encounter this problem in the logs: