search

blueimp / aws-smtp-relay

SMTP server to relay emails via Amazon SES or Amazon Pinpoint using IAM roles.
MIT License
76 stars 34 forks source link

Doesn't work with IAM with service account on EKS OIDC #9

Closed yadachi closed 4 years ago

yadachi commented 4 years ago

Hi I am using this on EKS cluster with service account. since last merge aws-sdk should support OIDC with service account. but it seems that the pod is still getting instance iam role.

SMTPDataError: (554, "Userarn:aws:sts::xxxxxxxxxxx:assumed-role/eks-node/i-0dabef8d257d9d78d' is not authorized to perform ses:SendRawEmail' on resourcearn:aws:ses:eu-west-1:xxxxxxxxxxx:identity/example.com' (Service: AmazonSimpleEmailService; Status Code: 403; Error Code: AccessDenied; Request ID: xxxxxxxxx-eda9-4221-96bb-xxxxxxxx)") ` instead of specified IAM role for SES, the pod still getting credential from worker node IAM role.

blueimp commented 4 years ago

Hi @yadachi , how are you using aws-smtp-relay? Are you using the blueimp/aws-smtp-relay docker image or your own build? And I assume you've followed the AWS guides here?

(Potentially @redradrat can also provide some helpful guidance)

yadachi commented 4 years ago

@blueimp sorry, this was my mistake, we actually using own image. I will double check if this is still happening. sorry for confusion.

redradrat commented 4 years ago

We already rolled this feature out a ton now :) so if you need help, just shoot.