Open agulhane-tibco opened 2 years ago
Any update here?
Hi @agulhane-tibco! Sorry for the late answer.
The AWS STS service is not supported currently, you can install liqo by using helm
Make sure to set:
discovery.config.clusterName
service.beta.kubernetes.io/aws-load-balancer-type
: nlb
annotation in gateway.service.annotations
awsConfig
values with an access id for a user with permission on iam:CreateUser
, iam:CreateAccessKey
, and eks:DescribeCluster
, required to give the required access to the local API server to remote clustersThanks @aleoli for the response. But can you confirm that in future, AWS STS service support will be included or not?
We should investigate better which is the blocker here. Yet, this is not currently high on our priority list since it is only related to liqoctl install and a workaround exists, unless there is a strong demand from the community
Thanks @aleoli for the response. But can you confirm that in future, AWS STS service support will be included or not?
@agulhane-tibco It depends on the requests coming from the community, and the support we get from interested partners :-)
Hi @aleoli, we tried out the solution which you have provided to Aniket, however it fails to connect to another cluster having liqo installed, below is the error we are getting
E0912 17:36:23.296209 1 foreign-cluster-controller.go:219] InvalidClientTokenId: The security token included in the request is invalid. status code: 403, request id: xxxxxx-xxxx-xxx-xxxx-xxxxxxxx
Hi @saushind-tibco! It seems that the other cluster (the remote one) is not able to sign a request to the AWS APIs. Can you check the logs of the AuthService in the other cluster and that the AWS IAM keys provided to the remote cluster are valid?
Hi @aleoli , Do liqo create new users for further processing? as our infrastructure is build on STS, our account do not have any provision of creating any new users. is there any workaround to use roles instead of relying on users to be created?
Hi @saushind-tibco! At the moment, the IAM user creation is required, we have to investigate deeper the ways to authenticate remote clusters.
Hi @aleoli We have a limitation providing user creation access to the IAM user, is there any other way we can use it, like pass on a pre-created user that Liqo would use to authenticate the remote cluster?
No, at the moment no other mechanism is currently supported, but we are open to suggestions and contributions from the community to provide it in a future release
@agulhane-tibco I am also using STS and with the 0.6.0, I am able to install liqoctl install eks --eks-cluster-region=ap-south-1 --eks-cluster-name=external --cluster-labels=workload=high
as well as establish out-of-bound peering.
The IAM role you are assuming is going to be used to create a liqo-user, since liqo doesn't support IRSA yet. All peering will happen using the same user.
If you are still blocked feel free to ping me on slack.
What happened:
We have AWS account with federated user access. So to connect with AWS account from local machine, we use STS service but while executing "liqoctl install aws" we are receiving error. It seems there is no support from "liqoctl".
As of now I can not see any flags while installing "liqo" on AWS EKS cluster using STS in "liqoctl" command.
Error we are receiving : -sh-4.2$ liqoctl install eks --eks-cluster-region us-east-2 --eks-cluster-name federations INFO Installer initialized ERRO Error retrieving provider specific configuration: failed retrieving cluster information: unable to get cluste status code: 403, request id: ffde161b-f549
What you expected to happen:
AWS federated user should be able to connect using STS while executing "liqoctl install aws".
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
kubectl version
): v1.22 / v1.23