Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Role to be assumed not being read from configuration file. #3142

Closed
jwalters-gpsw opened this issue Apr 8, 2020 · 6 comments · Fixed by vmware-tanzu/velero-plugin-for-aws#168 or #6598
Closed

AWS Role to be assumed not being read from configuration file. #3142

jwalters-gpsw opened this issue Apr 8, 2020 · 6 comments · Fixed by vmware-tanzu/velero-plugin-for-aws#168 or #6598
Assignees
@reasonerjt
Labels
Area/Cloud/AWS Bug Needs investigation
Milestone
v1.12

Comments

@jwalters-gpsw
Copy link

Versions

Version: v1.3.2
AWS Plugin Version: 1.0.1
AWS EKS Version: 1.15

Description

Though my config file has role_arn and source_profile entries, it does not appear the role is being assumed.

Details

$ velero install --provider aws --plugins velero/velero-plugin-for-aws:v1.0.1 --bucket backup-velero --secret-file ./config

time="2020-04-07T23:01:43Z" level=info msg="Checking that all backup storage locations are valid" logSource="pkg/cmd/server/server.go:413"
An error occurred: some backup storage locations are invalid: backup store for location "default" is invalid: rpc error: code = Unknown desc = AccessDenied: Access Denied

./config

[default]
region = us-west-2
role_arn=arn:aws:iam::99999999999:role/IAM_CARole_XXX
source_profile=eks

[profile eks]
aws_access_key_id = AKIAXXXXXXXX
aws_secret_access_key = mfrXXXXXXXXXXXXXXXX

Additional Information

I ran up another pod in the same cluster using the mesosphere/aws-cli:latest docker image. Then execed into the image and copied the same config (pointed to with AWS_CONFIG_FILE environment variable ). All the aws s3 commands worked fine on the bucket.

I suspect the stscreds.NewCredentials call needs to be used as described in Assume Role section here.
@jwalters-gpsw
Copy link
Author

I'm guessing something like what is being done in aws-okta needs to be done.
https://github.com/segmentio/aws-okta/blob/2840c02437b9069bede10682de2298cef7aa30f1/lib/provider.go#L303

I'll see if I can get a pull request together.

@carlisia
Copy link
Contributor

Hey @jwalters-gpsw, would you still like to take a stab at this?

@nrb nrb transferred this issue from vmware-tanzu/velero-plugin-for-aws Dec 7, 2020
@nrb nrb changed the title Role to be assumed not being read from configuration file. AWS Role to be assumed not being read from configuration file. Dec 7, 2020
@nrb nrb added the Help wanted label Dec 7, 2020
@eleanor-millman eleanor-millman added the Icebox We see the value, but it is not slated for the next couple releases. label May 11, 2021
@luisdavim luisdavim mentioned this issue Aug 2, 2023
Merged
@luisdavim
Copy link
Contributor

I've opened a PR on the AWS plugin to solve this: vmware-tanzu/velero-plugin-for-aws#168

@luisdavim luisdavim mentioned this issue Aug 3, 2023
Merged
3 tasks
@reasonerjt reasonerjt self-assigned this Aug 7, 2023
@reasonerjt reasonerjt added 1.13-candidate issue/pr that should be considered to target v1.13 minor release and removed Reviewed Q2 2021 Icebox We see the value, but it is not slated for the next couple releases. Help wanted labels Aug 7, 2023
@danfengliu
Copy link
Contributor

danfengliu commented Aug 23, 2023
edited
Loading

I'm facing AccessDenied issue with merged PR #6598, @reasonerjt will submit a PR to fix it.

time="2023-08-17T08:37:32Z" level=error msg="Error listing backups in backup store" backupLocation=velero/default controller=backup-sync error="rpc error: code = Unknown desc = AccessDenied: Access Denied\n\tstatus code: 403, request id: xx, host id: xxxx=" error.file="/go/src/velero-plugin-for-aws/velero-plugin-for-aws/object_store.go:436" error.function="main.(*ObjectStore).ListCommonPrefixes" logSource="pkg/controller/backup_sync_controller.go:107"

@danfengliu danfengliu reopened this Aug 23, 2023
@reasonerjt
Copy link
Contributor

Seems this is b/c when velero is installed via CLI the credential file is set via environment variable.
This PR should fix the problem:
vmware-tanzu/velero-plugin-for-aws#171

@reasonerjt reasonerjt added this to the v1.12 milestone Aug 23, 2023
@reasonerjt reasonerjt removed the 1.13-candidate issue/pr that should be considered to target v1.13 minor release label Aug 23, 2023
@reasonerjt
Copy link
Contributor

Closing this issue as fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reasonerjt reasonerjt

Labels
Area/Cloud/AWS Bug Needs investigation
Projects
None yet
Milestone
v1.12
8 participants
@carlisia @luisdavim @nrb @dsu-igeek @reasonerjt @eleanor-millman @jwalters-gpsw @danfengliu