Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 CRT Client not using IAM role for the EKS/Kubernetes service account #4579

Closed
singhbaljit opened this issue Oct 11, 2023 · 3 comments
Closed

S3 CRT Client not using IAM role for the EKS/Kubernetes service account #4579

singhbaljit opened this issue Oct 11, 2023 · 3 comments
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@singhbaljit
Copy link

singhbaljit commented Oct 11, 2023
edited
Loading

Describe the bug

The S3 CRT client does not use the IAM role attached to the service account in Kubernetes. I'm building the client with default credentials provider chain. Instead, it tries to use the role of the EKS/Kubernetes node. I do have the STS module on the the classpath. Other SDK clients are correctly use the IAM role. Even the Netty-based async client works with the role.

Expected Behavior

The CRT based client use the default credentials provider chain correctly, and use the IAM role for the container.

Current Behavior

It tries to use the role of the Kubernetes node. I see authentication error where it points to the node role not having the correct IAM actions. Those actions only exists on the container IAM role.

Reproduction Steps

  1. Create a standard CRT client
  2. Deploy to a container, and attach IAM role to the service account for the container.
  3. Make a request to upload/download with the CRT client.

Possible Solution

It should use the IAM role for the container.

Additional Information/Context

No response

AWS Java SDK version used

2.20.162, 0.27.3 (CRT)

JDK version used

Corretto 17.0.8

Operating System and version

Amazon Linux 2023
@singhbaljit singhbaljit added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 11, 2023
@singhbaljit singhbaljit changed the title S3 CRT Client not using IAM role for the Kubernetes service account S3 CRT Client not using IAM role for the EKS/Kubernetes service account Oct 11, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@cbui
Copy link

cbui commented Oct 17, 2023

@singhbaljit did you find a solution for this?

@singhbaljit
Copy link
Author

@cbui This issue was opened incorrectly. I found the root cause: #4583

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cbui @singhbaljit