AWS cli version 1.16.199 installed in the docker image kubeaws/kube-spot-termination-notice-handler:1.13.7-1 does not support resolving credentials via STS AssumeRoleWithWebIdentity.
There is an error:
An error occurred (AccessDenied) when calling the DescribeAutoScalingInstances operation: User: arn:aws:sts::XXXXXXXXXXX:assumed-role/XXXXXX-eks-worker-eu-west-1/i-xxxxxxxx is not authorized to perform: autoscaling:DescribeAutoScalingInstances
Hi,
We would like to use the
detaching
feature.We use
kubectl annotate serviceaccount
to provide a service-account for spot-termination-handler pod.It provides
AWS_ROLE_ARN
&AWS_WEB_IDENTITY_TOKEN_FILE
environment variables.AWS cli version
1.16.199
installed in the docker imagekubeaws/kube-spot-termination-notice-handler:1.13.7-1
does not support resolving credentials via STS AssumeRoleWithWebIdentity. There is an error:AWS cli ignores
AWS_ROLE_ARN
&AWS_WEB_IDENTITY_TOKEN_FILE
. This feature was introduced only in the version1.16.210
- https://github.com/aws/aws-cli/blob/develop/CHANGELOG.rst#116210Could you please upgrade the aws cli (with version >1.16.210) and build a new docker image.
Additionally, it would be great to have an option to add
rbac.serviceAccountAnnotations
to the Helm Chart as was done for cluster-autoscaler, for example: https://github.com/helm/charts/blob/master/stable/cluster-autoscaler/templates/serviceaccount.yaml#L10In this case we can replace running
kubectl annotate serviceaccount
and restarting pods manually with setting annotations as Helm values:Thank you.
Best regards, Mikalai