Closed sushama-kothawale closed 8 months ago
There is nothing wrong with aioboto3
using IRSA
I just ran the following on my IRSA enabled kube cluster
import asyncio
import aioboto3
async def main():
print(f"Version: {aioboto3.__version__}")
session = aioboto3.Session()
async with session.client("sts") as sts:
resp = await sts.get_caller_identity()
print(f"IAM: {resp['Arn'].split(':')[-1]}")
if __name__ == '__main__':
asyncio.run(main())
and got:
root@test:/# python3 /tmp/a.py
Version: 12.0.0
IAM: assumed-role/homelab_pod_cert_manager/botocore-session-1699376436
root@test:/#
I'd suggest you go check the assume role policy and that its correct for both the namespace and service account name.
Thanks @terrycain for quick response.
From the above output it looks like you are using 12.0.0 version. In our code we are using 9.2.0 aiboto3 package version wich is compatible with python 3.7. so we need to know which aiboto3 version will be compatible with python 3.7 + IRSA?
root@test:/# python3 /tmp/a.py
Version: 9.2.0
IAM: assumed-role/homelab_pod_cert_manager/botocore-session-1699377170
9.2.0 works fine. This is a problem on your end. And for reference you can look through the PyPI releases to see what aioboto3
versions work with 3.7, if i remember correction everything before version 12 does.
Description
Our few services using aiboto3 9.2.0 version, recently we added support for IRSA (to use AWS IAM Roles for Service Accounts )with Amazon EKS . After adding this support services starts breaking with below errors:
sts:AssumeRoleWithWebIdentity these permissions are already attached to the role which is getting used in service, still getting above error. It seems aiboto3 version is not compatible with IRSA.
Below is our requirements.txt file:
Can someone please check this quickly? As our system is broken currently.