Closed alenhodzic85 closed 2 years ago
Hello @alenhodzic85,
Going by #7738, you need to add dummy values to gateway.auth.s3.accessKey/secretKey
instead of leaving them blank. That should be why you are getting that error. Could you please try using the values shared detailed at https://github.com/bitnami/charts/issues/7738#issuecomment-1020624273? Additionally, it seems you shouldn't need to use any additional ENVs for this to work.
Besides that, https://github.com/bitnami/charts/pull/11212 did not add the gateway.auth.s3.useIRSA
param, which is a typo. Would you like to contribute with a PR to fix this?
Hi @FraPazGal, I am connecting Report Portal to Minio Gateway with S3. Report portal creates buckets through Minio. Tested with plain AWS secret and access key and it works as expected.
I also configured IRSA and used that service account to access s3 buckets from another pod and that part is also working.
> CASE 1:
replicaCount: 1
serviceAccount:
name: minio
annotations:
"eks.amazonaws.com/role-arn": "${aws_iam_role.minio_s3_role.arn}"
extraEnvVars:
- name: _MINIO_SERVER_DEBUG
value: "on"
gateway:
enabled: true
replicaCount: 1
type: s3
auth:
s3:
serviceEndpoint: https://s3.eu-central-1.amazonaws.com
accessKey: "dummy_key"
secretKey: "dummy_key"
Minio successfuly deploys, but there are error logs:
---------START-HTTP---------
HEAD / HTTP/1.1
Host: probe-bucket-sign-ihxjwzihp6c5.s3.dualstack.eu-central-1.amazonaws.com
User-Agent: MinIO (linux; amd64) minio-go/v7.0.31
Authorization: AWS4-HMAC-SHA256 Credential=dummy_key/20220727/eu-central-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha
256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20220727T103018Z
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: application/xml
Date: Wed, 27 Jul 2022 10:30:17 GMT
Server: AmazonS3
X-Amz-Id-2: YYJspZf+dYTmFT8+ey6udIrJr2t3r2uS344oDsZsJN2UoO5ec+Jg7eTgGPu97BV6J09vWKGQKWQ=
X-Amz-Request-Id: 5PKNFYWYX8CVJ1BD
---------END-HTTP---------
Minio logs trying to log in to UI:
API: AccountInfo()
Time: 10:35:02 UTC 07/27/2022
DeploymentID: ac43d046-ed6b-43fd-9400-ca6a05a383ea
RequestID: 1705A9398D470A06
RemoteHost: 10.0.12.116
Host: 10.0.12.116:9000
UserAgent: MinIO (linux; amd64) madmin-go/0.0.1
Error: The AWS Access Key Id you provided does not exist in our records. (minio.ErrorResponse)
6: internal/logger/logger.go:270:logger.LogIf()
5: cmd/api-errors.go:2135:cmd.toAPIErrorCode()
4: cmd/admin-handler-utils.go:224:cmd.toAdminAPIErrCode()
3: cmd/admin-handler-utils.go:211:cmd.toAdminAPIErr()
2: cmd/admin-handlers-users.go:1182:cmd.adminAPIHandlers.AccountInfoHandler()
1: net/http/server.go:2046:http.HandlerFunc.ServeHTTP()
E: 2022/07/27 10:35:02 We encountered an internal error, please try again. (The AWS Access Key Id you provided does not exist in
our records.)
%!(EXTRA madmin.ErrorResponse=We encountered an internal error, please try again. (The AWS Access Key Id you provided does not e
xist in our records.), *errors.errorString=invalid session)
> CASE 2:
replicaCount: 1
serviceAccount:
name: minio
annotations:
"eks.amazonaws.com/role-arn": "${aws_iam_role.minio_s3_role.arn}"
extraEnvVars:
- name: _MINIO_SERVER_DEBUG
value: "on"
gateway:
enabled: true
replicaCount: 1
type: s3
auth:
s3:
useIRSA: true
serviceEndpoint: https://s3.eu-central-1.amazonaws.com
accessKey: "dummy_key"
secretKey: "dummy_key"
Minio deployment fails with:
ERROR Unable to validate credentials inherited from the shell environment: Invalid credentials
> Please provide correct credentials
HINT:
Access key length should be at least 3, and secret key length at least 8 characters
Sorry for the long post.
Hello, Any update on this?
Thank you.
Hi @alenhodzic85,
I couldn't get access to an AWS cluster to test this properly, but it seems you are missing some config in your first case. I reproduced your issues using an S3 role with its trust policy not yet configured.
Please note you need to modify the default config following the script linked in the related issue. If I'm not mistaken, you'll need to access your AWS console and obtain both your account ID and OIDC provider for the AWS cluster where you are deploying MinIO.
Regarding your 2nd case, I'm pretty sure the gateway.auth.s3.useIRSA
param can't be used with the current chart configuration. Even if the chart itself doesn't validate those parameters, it seems like MinIO itself does.
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.
Name and Version
bitnami/minio 11.7.13
What steps will reproduce the bug?
Are you using any custom parameters or values?
What is the expected behavior?
Accessing S3 bucket without AWS Access and Secret ID
What do you see instead?
Additional information
PR: https://github.com/bitnami/charts/pull/11212 No
gateway.auth.s3.useIRSA
in values file.Successfully tested the role with another container.
Some older issues: https://github.com/bitnami/charts/issues/7738 https://github.com/minio/minio/discussions/14123#discussioncomment-2005579
I tested with
dummy_key
without theuseIRSA
option and I get Forbidden.