kafka-connect-storage-cloud icon indicating copy to clipboard operation
kafka-connect-storage-cloud copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

Kafka Connector on EKS not getting credentials from ServiceAccount

Open sergialonsaco opened this issue 3 years ago • 6 comments

Hello, I am trying to use this connector to store data in AWS S3, running it on an EKS cluster. I want that the connector assumes a role that I have assigned to the pod using a ServiceAccount. The role that I am giving to the pod doesn't have the policy to write to S3 but it has a trusted relationship to assume another role which does, for example, that's the way external secrets on k8s works (https://github.com/external-secrets/kubernetes-external-secrets). Then the intention is to give to the Kafka connector task the assume-role to another role that has the S3 rights, by assuming that role from my custom one, and through the parameters:

"s3.credentials.provider.class": "io.confluent.connect.s3.auth.AwsAssumeRoleCredentialsProvider",
"s3.credentials.provider.sts.role.arn": "arn:aws:iam::XXXX:role/kafka-connect-s3-sink", 
"s3.credentials.provider.sts.role.session.name": "kafka-connect-s3-sink",
"s3.credentials.provider.sts.role.external.id":"kafka-connect-s3-sink"

When the service account creates the env variables for the pod, the connector should assume the credentials by using the third step of the Default Credential Provider Chain (https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html), but instead of that what is happening is that it assumes the role of the EKS worker pod, by applying the fifth or sixth step of the chain.

Any thoughts on that?

sergialonsaco avatar Jun 07 '21 11:06 sergialonsaco

could anyone check on this?

sergialonsaco avatar Jun 29 '21 09:06 sergialonsaco

@sergialonsaco we faced the same issue. Looks like it's fixed on master

Tonkonozhenko avatar Jul 01 '21 07:07 Tonkonozhenko

@kkonstantine do you have any estimates of when you are going to release the new version?

Tonkonozhenko avatar Jul 01 '21 07:07 Tonkonozhenko

@kkonstantine @Tonkonozhenko any news on the release of the version that include the fix?

sergialonsaco avatar Sep 01 '21 10:09 sergialonsaco

@kkonstantine the issue you got here is easily can be solved if you upgrade aws java sdk V2. aws java sdk v2 support STS: you can read more here https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials.html "Web identity token from AWS STS"

David-hod avatar Mar 02 '22 10:03 David-hod

Bump, we are looking to use the same setup, i.e., Service Account + WebIdentityToken. Is this still an open issue?

larvinloy avatar May 11 '22 01:05 larvinloy