AWS-Region issue when trying to work with EC2-Instance Profiles via KIAM

[VF-mbrauer]

Describe the bug

Using a Kubernetes Installation on AWS-EC2-VMs. To communicate to AWS (Assume-Roles) we use KIAM (https://github.com/uswitch/kiam) When trying to remove the Access_Keys and Access_Secrets and make use of EC2-Instance Profiles, Falcosidekick fails when it tries to connect to AWS.

Error Message in the Logs: 2022/06/01 10:30:33 [ERROR] : AWS - MissingRegion: could not find region configuration

How to reproduce it

When removing the following Entries from secret of Falcosidekick:

• AWS_ACCESSKEYID:
• AWS_SECRETACCESSKEY:
• AWS_REGION:

it will show the following error: 2022/06/01 10:30:33 [ERROR] : AWS - MissingRegion: could not find region configuration

When putting the AWS_REGION with the the correct Region (ex. "eu-central-1") then it will show the following error: 2022/06/01 10:50:45 [ERROR] : AWS - Error while getting AWS Token

After a hint from @Issif I tried to define Environment variable: AWS_STS_REGIONAL_ENDPOINTS = true the following error message is shown: 2022/06/01 11:00:30 [ERROR] : AWS - Error while creating AWS Session

Expected behaviour

Login via Instance-Role Profile should work and should be able to communicate with the AWS-API.

Environment

• Falco version: falco version: 0.31.1 falcosidekick version: 2.25.0
• System info:

  {
  "machine": "x86_64",
  "nodename": "xxxxxxxxx"
  "release": "5.10.107-flatcar",
  "sysname": "Linux",
  "version": "#1 SMP Tue Mar 22 19:39:53 -00 2022"
  }

[Issif]

Thank you for this report, I'll do some tests on my own with as much use-cases as possible.

[Issif]

Can you test with the latest image? It should work now.

[eelkonio]

I've tested it as we also want to use KIAM. We do get one step further, but then this error occurs:

2022/06/17 07:39:29 [ERROR] : AWS - Error while getting AWS Token: WebIdentityErr: failed to retrieve credentials
caused by: InvalidIdentityToken: No OpenIDConnect provider found in your account for https://oidc.eks.eu-central-1.amazonaws.com/id/<SOME_ID>
    status code: 400, request id: f2142f50-1967-4f60-b2b9-.........

As you may expect, we do not use OIDC and do not have OIDC configured. Is it absolutely necessary to have an OIDC provider for FalcoSidekick?

Cheers, Eelko

[eelkonio]

Found the problem on my side - I had set the config.aws.rolearn which then triggered the OIDC path in the code. When left empty there is no error message and KIAM is used as intended!

(Of course you do need to set the appropriate kiam annotations in the podAnnotations in values.yaml )

[Issif]

If it's OK for you, do you think we can close this issue then? Thanks

[Issif]

/close

[poiana]

@Issif: Closing this issue.

In response to [this](https://github.com/falcosecurity/falcosidekick/issues/325#issuecomment-1180139183): >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.