Open Bart-Leboeuf opened 10 months ago
it should work now that aws-sdk v2 has been upgraded.
@vishal-chdhry is the latest untagged tag safe to use? we are still using the commit that corresponds to the v1 tag.
@calvinbui yes you can use latest, it is safe to use
thanks @vishal-chdhry the latest tag latest@sha256:c8ee5afd88cb1d6c4f0d27c9fb5581982841ca1ad9be742a1095cdcb89de60cc
works - but eks pod identity is still not working. same error as OP listed.
failed to execute the verify-signature command for plugin com.amazonaws.signer.notation.plugin: ERROR: invalid endpoint host, "169.254.170.23", only loopback hosts are allowed
i believe the problem is the aws-signer plugin's dependency is out of date based on the error message. the version of their website is 1.0.298
, GitHub is 1.0.350
. i'll test this out.
@calvinbui I think you are right The minimum SDK version for golang is a release from November 2023: https://docs.aws.amazon.com/eks/latest/userguide/pod-id-minimum-sdk.html
The signer binary was last updated in June 2023: Bin Download Page Changelog: https://d2hvyiie56hcat.cloudfront.net/CHANGELOG
We've tried using EKS Pod Identity with kyervno-notation-aws (V1). It seems that the authentication endpoint is not taken into account by the application, so the role is not assumed. Using IRSA, it works correctly. In the same cluster, we have other containers that work perfectly with EKS Pod Identity.
Using IRSA :
Using Pod Identity association :
I can see the credentials varaibles set on the Pod :