Closed david-kirby closed 3 months ago
Can you try the following:
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: demo-pod-identity
spec:
credentials:
source: WebIdentity
webIdentity:
roleARN: arn:aws:iam::12345678910:role/demo
tokenConfig:
fs:
path: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token
source: Filesystem
I tried the above ProviderConfig using the 1.3.0 aws-sqs provider and also updated my IAM role to allow the sts:AssumeRoleWithWebIdentity
action and received this error after trying to create the sqs queue again:
message: 'connect failed: cannot initialize the Terraform plugin SDK async external
client: cannot get terraform setup: cache manager failure: cannot retrieve the
AWS credentials: failed to refresh cached credentials, failed to retrieve credentials,
operation error STS: AssumeRoleWithWebIdentity, exceeded maximum number of attempts,
3, https response error StatusCode: 400, RequestID: 3abbae7e-25fa-4c0f-915d-929ae090c3f2,
InvalidIdentityToken: Incorrect token audience
Double checked I have the audience set correctly on the AWS OIDC provider for the cluster
"ClientIDList": [
"sts.amazonaws.com"
],
Alrighty I think I got this fixed after decoding the token here: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token
it's showing an audience of pods.eks.amazonaws.com
Once I added that to my OIDC configuration for the cluster the sqs queue was able to be created.
This command aws iam get-open-id-connect-provider --open-id-connect-provider-arn <USE_ARN>
should return
"ClientIDList": [
"sts.amazonaws.com",
"pods.eks.amazonaws.com"
],
So for anyone else trying to use pod identity here's my final setup to get it working with 1.3.0
pods.eks.amazonaws.com
in the Audiences listcrossplane-role
) with trust policy for AssumeRoleWithWebIdentity and pods.eks.amazonaws.comcrossplane
service account. This way I create a single PodIdentity association, mapping IAM crossplane-role
with crossplane
service accountapiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: patch-service-account
spec:
deploymentTemplate:
spec:
selector: {}
template:
spec:
serviceAccountName: crossplane
containers: []
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws-sqs
spec:
package: xpkg.upbound.io/upbound/provider-aws-sqs:v1.3.0
runtimeConfigRef:
name: patch-service-account
---
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: prod
spec:
credentials:
source: WebIdentity
webIdentity:
roleARN: arn:aws:iam::<ACCOUNT_ID>:role/crossplane-role
tokenConfig:
fs:
path: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token
source: Filesystem
---
apiVersion: sqs.aws.upbound.io/v1beta1
kind: Queue
metadata:
name: demo-queue
spec:
forProvider:
name: demo-queue
region: us-east-1
providerConfigRef:
name: prod
IAM role trust policy for my crossplane-role
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/UNIQUE_ID"
},
"Action": "sts:AssumeRoleWithWebIdentity"
},
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
@david-kirby your solution would work, but then it is not pod identity solution, rather a workaround that fixes pod identity for IRSA (since I still see the IRSA oidc).
Is there an existing issue for this?
Affected Resource(s)
Resource MRs required to reproduce the bug
In short, the below manifests:
crossplane
prod
and to use IRSA for credentials (IMPORTANT NOTE: This is working with a Pod Association configuration in EKS. The IAM role is not configured for IRSA and instead it's configured for Pod Identity)