Closed fgiannetti closed 7 months ago
hi @fgiannetti, assuming that your IRSA configuration is propagating correctly to the provider pod provider-aws-s3-xxx
(you can check that AWS_ROLE_ARN
and AWS_WEB_IDENTITY_TOKEN_FILE
env vars are automatically set to the s3 provider pod), it seems that your trust config references a wrong service account name condition.
"Condition": {
"StringLike": {
"oidc.eks.us-east-1.amazonaws.com/id/SOMETHUMBPRINT:sub": "system:serviceaccount:crossplane-system:provider-aws-iam-*"
}
}
Note the "system:serviceaccount:crossplane-system:provider-aws-iam-*"
in the trust relationship condition. The S3 provider pod will have a service account name generated like provider-aws-s3-xxxx
, so it won't match your trust policy condition.
Could you try changing the service account referenced in the trust policy to provider-aws-s3-*
to match the service account name? Alternatively, you can also configure provider-aws-*
to trust all the provider-aws service accounts for local-role
.
Why it is using an IAM user (arn:aws:sts::1111111111:assumed-role/eks-node-nbl-management/i-1f4de328357931e37) to perform the AssumeRole? The remote account role has not that user configured in its Trusted Relationships. This is your k8s cluster node's IAM role.
Since the IRSA service account did not match with the trust config, AWS client falls back to the cluster node's IAM role and tries to assume local-role
with cluster node's role by default. That is why you see this error.
Hope this helps!
Hi @erhancagirici thank you so much for your answer! Shame on me for that missconfig. Fixed it and the assumeRole was donde just fine! Confirmed with the AWS console :)
But once the role is assumed, I still cannot create the bucket because I get a 403. The assumed role has the S3FullAccess policy attached but, I get this error:
observe failed: failed to observe the resource: [{0 reading Amazon S3 (Simple Storage) Bucket (fer-test): operation error S3: HeadBucket, https response error StatusCode: 403, RequestID: 0K34WCWYG7PGXGYM, HostID: ZrTVen/9xqs6cfPJ7PzsHdipyVllgQT6zE/dPji57KFj7g35NRrMGfNEc1E44UoTxLcBC/NdBbA=, api error Forbidden: Forbidden []}]
Any idea? If I assume the role manually using the AWS cli, i can execute a create bucket action with no problems
@erhancagirici Discard my last message! It worked like a charm! I get the 403 because I was referencing to a existent bucket (I am the bumbest person ever)
Thank you so so much for your help and your Hawk Eye 🦅 with the wrong service account name reference
Closing this issue!
Hi All! I neet to manage S3 Buckets in a remote account but I am facing a problem trying to authenticate to the remote AWS account using IRSA and assumeRoleChain.
AWS Config: I configured an IAM Role inside Account1 (1111111111), named local-role, that has this Trust Relationship:
This Role has attached an IAM Policy that allows to assume role in the remote account Acocunt2 (2222222222) named remote-role
In Account2,
remote-role
allows the Account1 local-role to execute AssumeRole. All this configuration was tested manually using the AWS cli and works fine, creating and listing a buckets.Crossplane Config I was following this guide to configure AWS Provisioner and ProvisionerConfig.
I created an DeploymentResourceConfig annotating the ServiceAccount to use the local-role:
The Provider is using this DeploymentRuntimeConfig:
And the ProvisionerConfig:
The generated ServiceAccount is annotated with
eks.amazonaws.com/role-arn: arn:aws:iam::1111111111:role/local-role
When I try to create a bucket using this yaml:
It is Synced = False and getting this error:
My questions:
I am missconfiguring something? Or what I am doing wrong?
Thank you so much in advance!