Open Lowess opened 1 year ago
@julienduchesne do you mind checking if this sounds legitimate ? That would be great if this could go through a future release.
Thanks !
@julienduchesne do you mind checking if this sounds legitimate ? That would be great if this could go through a future release.
Thanks !
I’m not a Drone maintainer, just a random guy launching agents in AWS from a k8s cluster in GCP. So about auth, I have no idea
@vistaarjuneja any changes you could review this PR and get it merged ? I saw you recently merged changes related to the Amazon provider.
Many thanks 🙏
Hi Everyone !
While trying to get the drone autoscaler running on Amazon EKS Kubernetes cluster I encountered an issue with the way the AWS SDK handles the session when using an IAM role.
The drone autoscaler deployment is assigned a ServiceAccount to grant the service access to an IAM role (IRSA / OIDC IAM role dedicated to the pod) as stated in this documentation https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
While digging into AWS SDK issues I found this relevant issue that makes a mention of using
session.NewSession
instead ofsession.New
which does not handle well web identity token files https://github.com/aws/aws-sdk-go/issues/4436I made a local build of the project and took it for a spin and it works like charm now. The Drone autoscaler service is able to assume the ServiceAccount IAM role instead of the IAM role assigned to the EC2 machine.
I used the IAM policy for the drone autoscaler suggested by @mtb-xt on the community forum https://community.harness.io/t/drone-autoscaler/10719/12
The IAM trusted policy is as follow: