[cetic/nifi] Unable to use IAM Roles For Service Accounts with Nifi

[andrewhibbert]

Describe the bug

I'm trying to use nifi with IAM roles for service accounts, we are using nifi 1.13 which seems to have a supported SDK - https://github.com/apache/nifi/blob/rel/nifi-1.13.0/nifi-nar-bundles/nifi-aws-bundle/pom.xml#L29 which is higher than the minimum supported in here - [https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html]. However Nifi does not seem to be using the role at all, any ideas? I have set fsGroup to 65534 as this has been mentioned as a general problem using IAM roles for service accounts via k8s

Version of Helm and Kubernetes:

Helm 3.15 Kubernetes 1.18

[andrewhibbert]

Not a bug but wandering if anyone is successfully using IRSA with NiFi

[Shivam9268]

It will be really helpful if someone can help here. I'm also facing the same issue. It assumes the role of the worker node even after specifying eks.amazonaws.com/role-arn in serviceAccount annotations. Chart version: 0.6.4 NiFi 1.13.2

[nuttybrewer]

Ok, so I'm trying to reverse-engineer this as well... here is what I did but I'm missing the final pieces: Add this to your values.yml

     sts:
        serviceAccount:
           create: true
           name: mynifi

When I deploy the chart, it creates and assigns the service account as mynifi-sa.

You then need to create a "Web Identity" role as per https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html and then inject the annotation into the service account.

Since the chart isn't set up to inject annotations into the service account (perhaps we could submit a pull request for this?) I use kubectl edit serviceaccount mynifi-sa, I didn't verify the method in the URL for this.

Once I did this, I'm able to log onto the "nifi-0 server" container and validate that the environment variables are set.

I'm now trying to configure the AWSCredentialsProviderControllerService in nifi to use this somehow, but it doesn't seem to want to do this "directly".

I have a feeling that something needs to be modified in the code to take advantage of this and it's not exposed yet: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-web_identity_token_file.html

[Shivam9268]

Hi @nuttybrewer, yes the environment variables do populate inside the container. But still there were issues assuming the role. So our team created custom plugins with software.amazon.awssdk:sts added as a dependency which solved the issue. I also went ahead and created a PR #143 to inject annotations into service account.

[browns9]

@Shivam9268

Hi @nuttybrewer, yes the environment variables do populate inside the container. But still there were issues assuming the role. So our team created custom plugins with software.amazon.awssdk:sts added as a dependency which solved the issue. I also went ahead and created a PR #143 to inject annotations into service account.

"custom plugins" ... Do you mean NiFi authenticator plugins?

Many thanks, Steve

[nuttybrewer]

Hi Steve,

I submitted https://github.com/apache/nifi/pull/5108 to support this. You can fork and compile nifi, the dockerfiles are already in the distribution. I can change the image and version in the current charts to load those custom ones and they now work fine.

Pat

On Thu, Jun 17, 2021 at 4:52 PM Steve Brown @.***> wrote:

@Shivam9268 https://github.com/Shivam9268

Hi @nuttybrewer https://github.com/nuttybrewer, yes the environment variables do populate inside the container. But still there were issues assuming the role. So our team created custom plugins with software.amazon.awssdk:sts added as a dependency which solved the issue. I also went ahead and created a PR #143 https://github.com/cetic/helm-nifi/pull/143 to inject annotations into service account.

"custom plugins" ... Do you mean NiFi authenticator plugins?

Many thanks, Steve

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cetic/helm-nifi/issues/134#issuecomment-863308171, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM2ANID5JACUSCY7JHP4R3TTID3PANCNFSM42AHZZ4Q .

[banzo]

marking this as stale since the above mentioned PR has been closed.