LIQO not working with AWS federated user (using STS Security Token Service)

[agulhane-tibco]

What happened:

We have AWS account with federated user access. So to connect with AWS account from local machine, we use STS service but while executing "liqoctl install aws" we are receiving error. It seems there is no support from "liqoctl".

As of now I can not see any flags while installing "liqo" on AWS EKS cluster using STS in "liqoctl" command.

Error we are receiving : -sh-4.2$ liqoctl install eks --eks-cluster-region us-east-2 --eks-cluster-name federations INFO Installer initialized ERRO Error retrieving provider specific configuration: failed retrieving cluster information: unable to get cluste status code: 403, request id: ffde161b-f549

What you expected to happen:

AWS federated user should be able to connect using STS while executing "liqoctl install aws".

How to reproduce it (as minimally and precisely as possible):

1. Login the AWS federated user using STS.
2. Create EKS cluster
3. Try to deploy "liqo using liqoctl command
4. We are using above command.

Anything else we need to know?:

Environment:

• Liqo version: v0.5.4
• Kubernetes version (use kubectl version): v1.22 / v1.23
• Cloud provider or hardware configuration: AWS Federated user
• Network plugin and version: Kubenet
• Install tools: liqoctl
• Others:

[agulhane-tibco]

Any update here?

[aleoli]

Hi @agulhane-tibco! Sorry for the late answer.

The AWS STS service is not supported currently, you can install liqo by using helm

Make sure to set:

• the pod and service CIDRs for your cluster accordingly
• the cluster name in discovery.config.clusterName
• the service.beta.kubernetes.io/aws-load-balancer-type: nlb annotation in gateway.service.annotations
• the awsConfig values with an access id for a user with permission on iam:CreateUser, iam:CreateAccessKey, and eks:DescribeCluster, required to give the required access to the local API server to remote clusters

[agulhane-tibco]

Thanks @aleoli for the response. But can you confirm that in future, AWS STS service support will be included or not?

[aleoli]

We should investigate better which is the blocker here. Yet, this is not currently high on our priority list since it is only related to liqoctl install and a workaround exists, unless there is a strong demand from the community

[frisso]

Thanks @aleoli for the response. But can you confirm that in future, AWS STS service support will be included or not?

@agulhane-tibco It depends on the requests coming from the community, and the support we get from interested partners :-)

[saushind-tibco]

Hi @aleoli, we tried out the solution which you have provided to Aniket, however it fails to connect to another cluster having liqo installed, below is the error we are getting E0912 17:36:23.296209 1 foreign-cluster-controller.go:219] InvalidClientTokenId: The security token included in the request is invalid. status code: 403, request id: xxxxxx-xxxx-xxx-xxxx-xxxxxxxx

[aleoli]

Hi @saushind-tibco! It seems that the other cluster (the remote one) is not able to sign a request to the AWS APIs. Can you check the logs of the AuthService in the other cluster and that the AWS IAM keys provided to the remote cluster are valid?

[saushind-tibco]

Hi @aleoli , Do liqo create new users for further processing? as our infrastructure is build on STS, our account do not have any provision of creating any new users. is there any workaround to use roles instead of relying on users to be created?

[aleoli]

Hi @saushind-tibco! At the moment, the IAM user creation is required, we have to investigate deeper the ways to authenticate remote clusters.

[saushind-tibco]

Hi @aleoli We have a limitation providing user creation access to the IAM user, is there any other way we can use it, like pass on a pre-created user that Liqo would use to authenticate the remote cluster?

[aleoli]

No, at the moment no other mechanism is currently supported, but we are open to suggestions and contributions from the community to provide it in a future release

[rverma-dev]

@agulhane-tibco I am also using STS and with the 0.6.0, I am able to install liqoctl install eks --eks-cluster-region=ap-south-1 --eks-cluster-name=external --cluster-labels=workload=high as well as establish out-of-bound peering.

The IAM role you are assuming is going to be used to create a liqo-user, since liqo doesn't support IRSA yet. All peering will happen using the same user.

If you are still blocked feel free to ping me on slack.