Open Dennor opened 1 month ago
hi @Dennor, thanks for reporting this. Could you also provide the YAML output of the provider-aws-iam
pod?
IRSA provider config implementation assumes that the provider pod runs on an EKS cluster. EKS injects several extra environment variables on IRSA-enabled pods, like AWS_REGION
, AWS_DEFAULT_REGION
and AWS_STS_REGIONAL_ENDPOINTS
which influence the resulting AWS SDK configuration. See
https://github.com/aws/amazon-eks-pod-identity-webhook?tab=readme-ov-file#aws_default_region-injection for reference
For the kubernetes distribution you use, I am not sure how IRSA-related configuration is injected, e.g. how eks.amazonaws.com/role-arn
annotation is handled. I assume that these are not automatically injected by your distribution. Could you specify a bit more about how your environment looks like?
Is there an existing issue for this?
Affected Resource(s)
Resource MRs required to reproduce the bug
Steps to Reproduce
What happened?
I've expected the provider to authenticate with STS endpoint like others do. Unfortunately due to the lack of region provider attempts to call STS endpoint without region and fails. It attempts to call
sts..amazonaws.com
which is clearly wrong.Relevant Error Output Snippet
Crossplane Version
1.15.2
Provider Version
1.4.0
Kubernetes Version
1.29.4
Kubernetes Distribution
k0s
Additional Info
A simple addition of
in the DeploymentRuntimeConfig fixes the issue.