Open miguelaferreira opened 8 months ago
Hi @miguelaferreira,
Since support for S3 buckets is implemented in a plugin, I think you need to refer to the S3 plugin documentation.
I hope that helps. Thank you!
Thanks for getting back to me @arybolovlev.
I get the principle of what I need to do. It's just that when my AWS provider takes the credentials I give to the terraform process, and then assumes a role (on another account), that role is the one that has access to the S3 bucket where the helm repo is. However, the helm provider will have those underlying credentials I gave to the terraform process, and those don't have access to the S3 bucket where the helm repo is.
Ideally there would be a way to configure the AWS role to be assumed in the helm provider. As a workaround I had to setup cross-account policies to allow the underlying credentials to access the S3 bucket, and that breaks the permission segregation that I had before.
Did you manage to solve this issue?
Yes I did work around it. What I did was to allow the user with the credentials to access the S3 bucket. My AWS provider assumes a role with those credentials, and the helm s3 plugin uses the credentials directly.
Ideally the helm s3 will plugin would also assume the role first, but like I describe in the issue it can't.
I'm trying to deploy a
helm_release
that uses and S3 bucket as the repository. There is no public access to that S3 bucket. I'm able to dohelm install/upgrade
locally and for that I need to provide AWS credentials to the helm command, for it to download the repo index (index.yaml
) and the required chart.However, when I do that via the terraform helm provider I keep getting Access Denied. I have both an AWS and a Helm provider declared. The AWS provider has the required access to the S3 bucket, but the helm provider does not.
This is the debug log from the terraform execution.
Terraform version, Kubernetes provider version and Kubernetes version
Terraform configuration
Question
Is there a way to manipulate the helm provider environment and inject the required AWS credentials?