liqotech / liqo

Enable dynamic and seamless Kubernetes multi-cluster topologies
https://liqo.io
Apache License 2.0
1.12k stars 106 forks source link

LIQO not working with AWS federated user (using STS Security Token Service) #1410

Open agulhane-tibco opened 2 years ago

agulhane-tibco commented 2 years ago

What happened:

We have AWS account with federated user access. So to connect with AWS account from local machine, we use STS service but while executing "liqoctl install aws" we are receiving error. It seems there is no support from "liqoctl".

As of now I can not see any flags while installing "liqo" on AWS EKS cluster using STS in "liqoctl" command.

Error we are receiving : -sh-4.2$ liqoctl install eks --eks-cluster-region us-east-2 --eks-cluster-name federations INFO Installer initialized ERRO Error retrieving provider specific configuration: failed retrieving cluster information: unable to get cluste status code: 403, request id: ffde161b-f549

What you expected to happen:

AWS federated user should be able to connect using STS while executing "liqoctl install aws".

How to reproduce it (as minimally and precisely as possible):

  1. Login the AWS federated user using STS.
  2. Create EKS cluster
  3. Try to deploy "liqo using liqoctl command
  4. We are using above command.

Anything else we need to know?:

Environment:

agulhane-tibco commented 2 years ago

Any update here?

aleoli commented 2 years ago

Hi @agulhane-tibco! Sorry for the late answer.

The AWS STS service is not supported currently, you can install liqo by using helm

Make sure to set:

agulhane-tibco commented 2 years ago

Thanks @aleoli for the response. But can you confirm that in future, AWS STS service support will be included or not?

aleoli commented 2 years ago

We should investigate better which is the blocker here. Yet, this is not currently high on our priority list since it is only related to liqoctl install and a workaround exists, unless there is a strong demand from the community

frisso commented 2 years ago

Thanks @aleoli for the response. But can you confirm that in future, AWS STS service support will be included or not?

@agulhane-tibco It depends on the requests coming from the community, and the support we get from interested partners :-)

saushind-tibco commented 2 years ago

Hi @aleoli, we tried out the solution which you have provided to Aniket, however it fails to connect to another cluster having liqo installed, below is the error we are getting E0912 17:36:23.296209 1 foreign-cluster-controller.go:219] InvalidClientTokenId: The security token included in the request is invalid. status code: 403, request id: xxxxxx-xxxx-xxx-xxxx-xxxxxxxx

aleoli commented 2 years ago

Hi @saushind-tibco! It seems that the other cluster (the remote one) is not able to sign a request to the AWS APIs. Can you check the logs of the AuthService in the other cluster and that the AWS IAM keys provided to the remote cluster are valid?

saushind-tibco commented 2 years ago

Hi @aleoli , Do liqo create new users for further processing? as our infrastructure is build on STS, our account do not have any provision of creating any new users. is there any workaround to use roles instead of relying on users to be created?

aleoli commented 2 years ago

Hi @saushind-tibco! At the moment, the IAM user creation is required, we have to investigate deeper the ways to authenticate remote clusters.

saushind-tibco commented 2 years ago

Hi @aleoli We have a limitation providing user creation access to the IAM user, is there any other way we can use it, like pass on a pre-created user that Liqo would use to authenticate the remote cluster?

aleoli commented 2 years ago

No, at the moment no other mechanism is currently supported, but we are open to suggestions and contributions from the community to provide it in a future release

rverma-dev commented 1 year ago

@agulhane-tibco I am also using STS and with the 0.6.0, I am able to install liqoctl install eks --eks-cluster-region=ap-south-1 --eks-cluster-name=external --cluster-labels=workload=high as well as establish out-of-bound peering.

The IAM role you are assuming is going to be used to create a liqo-user, since liqo doesn't support IRSA yet. All peering will happen using the same user.

If you are still blocked feel free to ping me on slack.