aws-es-proxy icon indicating copy to clipboard operation
aws-es-proxy copied to clipboard

Published 20 hours ago verified publisher icon abutaha

Update docker image?

Open jcpetruzza opened this issue 4 years ago • 10 comments

The latest official docker image (0.9) appears to be a year old. Since then, the aws-sdk-go has added support for assuming roles via webtokens. This is necessary in order to run aws-es-proxy on kubernetes via AWS EKS using the native support for IAM roles.

Building against a newer version of aws-sdk-go should be enough to support this, I think, so creating a new official image could be a good idea?

jcpetruzza avatar Mar 12 '20 18:03 jcpetruzza

Just saw #61 which would need to be merged first!

jcpetruzza avatar Mar 13 '20 10:03 jcpetruzza

Will have a look and update the docker image.

abutaha avatar Mar 22 '20 15:03 abutaha

Thanks! Since you are on it, would you consider merging #40 as well? We are using using aws-es-proxy via the fluentd-elasticsearch helm chart on EKS, and had to end up using a custom image with both #61 and #40 applied. The latter was to actually see some errors when the IAM role was misconfigured! :smile:

jcpetruzza avatar Mar 22 '20 16:03 jcpetruzza

This has been fixed in the new commit to master today. I will soon release a new docker image containing the latest code.

abutaha avatar Apr 03 '20 21:04 abutaha

Having IRSA support would be great! Any news on integrating that feature?

ojundt avatar Jun 01 '20 12:06 ojundt

Would like to give this a try with the later aws-sdk-go version that supports IAM on EKS. Thanks!

codyja avatar Jun 08 '20 16:06 codyja

@ojundt version 1.1 has IRSA included, can you give it a try? @codyja I'm using aws-sdk-go v1.30.4 which I think has the support, however, I will update the sdk and release a new version this week.

abutaha avatar Jun 08 '20 16:06 abutaha

@abutaha version 1.1 with IRSA works like a charm. Thank you!

ojundt avatar Jun 12 '20 18:06 ojundt

Hi @ojundt , could you help me understand how to run aws-es-proxy in order to get it working with IRSA? I'm struggling a bit to make it run. Are you deploying aws-es-proxy through a YAML manifest via kubectl? Are you using a chart? What parameters do you pass to either of those to make it work? Thanks!

diego-ojeda-binbash avatar May 09 '21 00:05 diego-ojeda-binbash

In case it helps somebody else I managed to get it working on AWS EKS by providing the following environment variables to the aws-es-proxy pod:

  • AWS_ROLE_ARN => arn:aws:iam::[ACCOUNT_ID]:role/[ROLE_NAME]
  • AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token

The service account needs to be annotated with eks.amazonaws.com/role-arn so that EKS creates the token in the file specified above. Also, you are providing a role ARN which belongs to an actual role, such role needs to be granted access to AWS ES through a policy in order for this to work.

diego-ojeda-binbash avatar May 10 '21 19:05 diego-ojeda-binbash