search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
8.92k stars 9.18k forks source link

[bitnami/minio] Empty S3 creds PR #11315

Closed alenhodzic85 closed 2 years ago

alenhodzic85 commented 2 years ago

Name and Version

bitnami/minio 11.7.13

What steps will reproduce the bug?

  1. Trying to deploy helm chart with IRSA

Are you using any custom parameters or values?

replicaCount: 1
serviceAccount:
  name: minio
  annotations: 
      "eks.amazonaws.com/role-arn": "${aws_iam_role.minio_s3_role.arn}"
extraEnvVars:
  - name: _MINIO_SERVER_DEBUG
    value: "on"
  - name: AWS_ROLE_SESSION_NAME
    value: "minio"

auth:
  rootUser: dummy_key
  rootPassword: dummy_key
gateway:
  enabled: true
  replicaCount: 1
  type: s3
  auth:
    s3:
      useIRSA: true
      serviceEndpoint: https://s3.eu-central-1.amazonaws.com

What is the expected behavior?

Accessing S3 bucket without AWS Access and Secret ID

What do you see instead?

ERROR Unable to validate credentials inherited from the shell environment: Invalid credentials
> Please provide correct credentials
HINT:
Access key length should be at least 3, and secret key length at least 8 characters

Additional information

PR: https://github.com/bitnami/charts/pull/11212 No gateway.auth.s3.useIRSA in values file.

Successfully tested the role with another container.

Some older issues: https://github.com/bitnami/charts/issues/7738 https://github.com/minio/minio/discussions/14123#discussioncomment-2005579

I tested with dummy_key without the useIRSAoption and I get Forbidden.

Authorization: AWS4-HMAC-SHA256 Credential=dummy_key/20220722/eu-central-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date,X-Amz-Content-Sha256: 3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
HTTP/1.1 403 Forbidden
FraPazGal commented 2 years ago

Hello @alenhodzic85,

Going by #7738, you need to add dummy values to gateway.auth.s3.accessKey/secretKey instead of leaving them blank. That should be why you are getting that error. Could you please try using the values shared detailed at https://github.com/bitnami/charts/issues/7738#issuecomment-1020624273? Additionally, it seems you shouldn't need to use any additional ENVs for this to work.

Besides that, https://github.com/bitnami/charts/pull/11212 did not add the gateway.auth.s3.useIRSA param, which is a typo. Would you like to contribute with a PR to fix this?

alenhodzic85 commented 2 years ago

Hi @FraPazGal, I am connecting Report Portal to Minio Gateway with S3. Report portal creates buckets through Minio. Tested with plain AWS secret and access key and it works as expected.

I also configured IRSA and used that service account to access s3 buckets from another pod and that part is also working.

> CASE 1:

replicaCount: 1
serviceAccount:
  name: minio
  annotations:
    "eks.amazonaws.com/role-arn": "${aws_iam_role.minio_s3_role.arn}"
extraEnvVars:
  - name: _MINIO_SERVER_DEBUG
    value: "on"
gateway:
  enabled: true
  replicaCount: 1
  type: s3
  auth:
    s3:
      serviceEndpoint: https://s3.eu-central-1.amazonaws.com
      accessKey: "dummy_key"
      secretKey: "dummy_key"

Minio successfuly deploys, but there are error logs:

---------START-HTTP---------                                                                                                    
HEAD / HTTP/1.1                                                                                                                 
Host: probe-bucket-sign-ihxjwzihp6c5.s3.dualstack.eu-central-1.amazonaws.com                                                    
User-Agent: MinIO (linux; amd64) minio-go/v7.0.31                                                                               
Authorization: AWS4-HMAC-SHA256 Credential=dummy_key/20220727/eu-central-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha
256;x-amz-date, Signature=**REDACTED**                                                                                          
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855                                          
X-Amz-Date: 20220727T103018Z                                                                                                    

HTTP/1.1 403 Forbidden                                                                                                          
Connection: close                                                                                                               
Content-Type: application/xml                                                                                                   
Date: Wed, 27 Jul 2022 10:30:17 GMT                                                                                             
Server: AmazonS3                                                                                                                
X-Amz-Id-2: YYJspZf+dYTmFT8+ey6udIrJr2t3r2uS344oDsZsJN2UoO5ec+Jg7eTgGPu97BV6J09vWKGQKWQ=                                        
X-Amz-Request-Id: 5PKNFYWYX8CVJ1BD                                                                                              
---------END-HTTP---------

Minio logs trying to log in to UI:

API: AccountInfo()                                                                                                              
Time: 10:35:02 UTC 07/27/2022                                                                                                   
DeploymentID: ac43d046-ed6b-43fd-9400-ca6a05a383ea                                                                              
RequestID: 1705A9398D470A06                                                                                                     
RemoteHost: 10.0.12.116                                                                                                         
Host: 10.0.12.116:9000                                                                                                          
UserAgent: MinIO (linux; amd64) madmin-go/0.0.1                                                                                 
Error: The AWS Access Key Id you provided does not exist in our records. (minio.ErrorResponse)                                  
       6: internal/logger/logger.go:270:logger.LogIf()                                                                          
       5: cmd/api-errors.go:2135:cmd.toAPIErrorCode()                                                                           
       4: cmd/admin-handler-utils.go:224:cmd.toAdminAPIErrCode()                                                                
       3: cmd/admin-handler-utils.go:211:cmd.toAdminAPIErr()                                                                    
       2: cmd/admin-handlers-users.go:1182:cmd.adminAPIHandlers.AccountInfoHandler()                                            
       1: net/http/server.go:2046:http.HandlerFunc.ServeHTTP()                                                                  
E: 2022/07/27 10:35:02 We encountered an internal error, please try again. (The AWS Access Key Id you provided does not exist in
 our records.)                                                                                                                  
%!(EXTRA madmin.ErrorResponse=We encountered an internal error, please try again. (The AWS Access Key Id you provided does not e
xist in our records.), *errors.errorString=invalid session)

> CASE 2: 

replicaCount: 1
serviceAccount:
  name: minio
  annotations:
    "eks.amazonaws.com/role-arn": "${aws_iam_role.minio_s3_role.arn}"
extraEnvVars:
  - name: _MINIO_SERVER_DEBUG
    value: "on"
gateway:
  enabled: true
  replicaCount: 1
  type: s3
  auth:
    s3:
      useIRSA: true
      serviceEndpoint: https://s3.eu-central-1.amazonaws.com
      accessKey: "dummy_key"
      secretKey: "dummy_key"

Minio deployment fails with:

ERROR Unable to validate credentials inherited from the shell environment: Invalid credentials
      > Please provide correct credentials                                                    
      HINT:                                                                                   
        Access key length should be at least 3, and secret key length at least 8 characters

Sorry for the long post.

alenhodzic85 commented 2 years ago

Hello, Any update on this?

Thank you.

FraPazGal commented 2 years ago

Hi @alenhodzic85,

I couldn't get access to an AWS cluster to test this properly, but it seems you are missing some config in your first case. I reproduced your issues using an S3 role with its trust policy not yet configured.

Please note you need to modify the default config following the script linked in the related issue. If I'm not mistaken, you'll need to access your AWS console and obtain both your account ID and OIDC provider for the AWS cluster where you are deploying MinIO.

Regarding your 2nd case, I'm pretty sure the gateway.auth.s3.useIRSA param can't be used with the current chart configuration. Even if the chart itself doesn't validate those parameters, it seems like MinIO itself does.

github-actions[bot] commented 2 years ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] commented 2 years ago

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.