import-map-deployer ignores role assigned to service account when running in k8s/EKS. As a result it is impossible to limit S3 access permissions just to particular pod with import-map-deployer running.
Looks like aws-sdk@2.181.0 locked in yarn.lock file has either bug or lack of functionality and it seems to ignore AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE provided by EKS integration with AWS IAM roles.
When I run your image with interactive shell and execute below commands in node REPL:
However when I run your base image (node:14-alpine) and install latest aws-sdk@2 (in my case it is 2.1274.0) it returns role assigned to service account. I double-checked this using same image (node:14-alpine) and explicitly installing aws-sdk@2.181.0 and behaviour is exactly same as in your image.
Possibly quickest fix is to update aws-sdk@2 version in yarn.lock to something more recent.
import-map-deployer
ignores role assigned to service account when running in k8s/EKS. As a result it is impossible to limit S3 access permissions just to particular pod with import-map-deployer running.Looks like
aws-sdk@2.181.0
locked inyarn.lock
file has either bug or lack of functionality and it seems to ignoreAWS_ROLE_ARN
andAWS_WEB_IDENTITY_TOKEN_FILE
provided by EKS integration with AWS IAM roles.When I run your image with interactive shell and execute below commands in node REPL:
I got EKS Worker node role in return
However when I run your base image (node:14-alpine) and install latest
aws-sdk@2
(in my case it is 2.1274.0) it returns role assigned to service account. I double-checked this using same image (node:14-alpine) and explicitly installingaws-sdk@2.181.0
and behaviour is exactly same as in your image.Possibly quickest fix is to update
aws-sdk@2
version inyarn.lock
to something more recent.