mirror of
https://github.com/s3fs-fuse/s3fs-fuse.git
synced 2026-04-25 13:26:00 +03:00
[GH-ISSUE #1601] s3fs not using EKS pod's service-account/IAM Role for accessing S3 #839
Labels
No labels
bug
bug
dataloss
duplicate
enhancement
feature request
help wanted
invalid
need info
performance
pull-request
question
question
testing
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/s3fs-fuse#839
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @kadambkaluskar on GitHub (Mar 11, 2021).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1601
Additional Information
The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all.
Keep in mind that the commands we provide to retrieve information are oriented to GNU/Linux Distributions, so you could need to use others if you use s3fs on macOS or BSD
Version of s3fs being used (s3fs --version)
Amazon Simple Storage Service File System V1.80(commit:unknown) with GnuTLS(gcrypt)
Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse)
Version: 2.9.7-1+deb9u2
Kernel information (uname -r)
4.14.219-161.340.amzn2.x86_64
GNU/Linux Distribution, if applicable (cat /etc/os-release)
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
s3fs command line used, if applicable
s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs)
if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages
Details about the issue
I am trying to mount s3 bucket inside my Kubernetes pod which is running on EKS.
To give S3 access to Pod, I have created an IAM role, and attached it to a service account, and using the same for s3fs.
But it seems the s3fs utility calls EC2 metadata URL, where it doesn't find the mentioned IAM, but the IAM role for EKS Node.
How can I mount an S3 bucket inside my EKS pod, with the help of the IAM role/Service Account?
This works when I use the access-keys for the same user, but I don't want to use the access-keys due to security reasons.
@kobi-toptal commented on GitHub (Oct 26, 2021):
i am having the same issue, any updates on this?
@elia-netroadshow commented on GitHub (Nov 1, 2021):
Seems to be happening here as well
@elia-netroadshow commented on GitHub (Nov 1, 2021):
Also in our case, the service makes the whole container instance non-responsive
@shidaxi commented on GitHub (Dec 26, 2021):
Met the same issue, any updates on this?
@Confushion commented on GitHub (Dec 29, 2021):
Same issue here when trying to use EKS OIDC Provider and ServiceAccount annotation.
It does however work with Kube2iam and pod annotation, but that's just what I try to get rid of...
@kobi-toptal commented on GitHub (Dec 29, 2021):
I have migrated to goofys, the code from master branch has updated AWS sdk. Aws sdk automatically handles the authentication.
@rma945 commented on GitHub (Jan 20, 2022):
Looks like the whole auth mechanics in s3fs were done manually, so s3fs doesn't know anything about IRSA-based auth and don't use
the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE parameters. So this issue can be fixed if the s3fs will migrate to the AWS C++ SDK as described in this issue #1068
@gaul commented on GitHub (Jan 23, 2022):
Moving to the C++ SDK is a heavy lift and unlikely to be done soon.
@nmeyerhans can you comment on IRSA? Does this relate to IMDSv2?
@nmeyerhans commented on GitHub (Jan 24, 2022):
No, this is completely unrelated to IMDSv2, which is basically a small modification to how a program interacts with the existing IMDS APIs. IRSA is a mechanism to allow IAM roles to be associated with Kubernetes pods. From the s3fs applications point of view, the API you need to use is sts.AssumeRoleWithWebIdentity. See also this blog post describing how it works.
Also, support for this has previously been requested in #1778.
@ggtakec commented on GitHub (Jan 26, 2022):
It is not perfect for incorporating
AWS-SDK-CPP, but I think it can IncorporateAWS-SDK-CPPauthentication(loading AccessKey and SessionToken, etc) for the current s3fs-fuse.For more information, I would like to discuss this with @gaul.
So please wait for a while.
@gaul commented on GitHub (Jan 27, 2022):
Duplicate of #1778. Thank you for deduplicating this, @nmeyerhans!