search

wundergraph / cosmo

The open-source solution to building, maintaining, and collaborating on GraphQL Federation at Scale. The alternative to Apollo Studio and GraphOS.
https://cosmo-docs.wundergraph.com/
Apache License 2.0
704 stars 103 forks source link

Router does not support using EC2 IAM role for S3 storage provider #1249

Closed lachlan-smith closed 2 days ago

lachlan-smith commented 1 week ago

Component(s)

router

Component version

0.121.0

wgc version

0.66.2

controlplane version

n/a

router version

0.121.0

What happened?

Description

When using the routers with the S3 storage provider and deploying to EKS, it is not possible to use the EKS/EC2 node IAM role for authenticating against S3.

This appears to be because of the way the minio-go client is being instantiated, by only providing a static credentials configuration.

When deploying into an EKS cluster, using IAM roles are preferable as kubelet will intercept the calls to the AWS API and handle authentication on your behalf using the IAM role/policy assigned to the EC2 node. More info on how this can be found here https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html

Steps to Reproduce

In the routers config.yaml, configure a storage provider and attempt to load the execution config from it

storage_providers:
  s3:
  - id: "s3"
    endpoint: "s3.amazonaws.com"
    bucket: "my-config-bucket"
    region: "us-east-1"
    secure: true

execution_config:
  storage:
    provider_id: s3
    object_path: "execution-config.json"

Expected Result

The router is able to load the execution configuration from the bucket and start successfully.

Actual Result

The router fails to start and logs an "Access denied" error when trying to load the execution configuration from the S3 bucket.

Environment information

Environment

OS: AWS EKS (Kubernetes 1.29) Package Manager: npm Compiler(if manually compiled): n/a

Router configuration

No response

Router execution config

No response

Log output

No response

Additional context

No response

github-actions[bot] commented 1 week ago

WunderGraph commits fully to Open Source and we want to make sure that we can help you as fast as possible. The roadmap is driven by our customers and we have to prioritize issues that are important to them. You can influence the priority by becoming a customer. Please contact us here.

lachlan-smith commented 1 week ago

I've opened a PR with a fix here https://github.com/wundergraph/cosmo/pull/1250

lachlan-smith commented 2 days ago

Resolved with https://github.com/wundergraph/cosmo/commit/5d67c4b6aceb0a9fbf2bb99e57a75f5b163d93f9