pkg
pkg copied to clipboard
When setting AWS_STS_REGIONAL_ENDPOINTS=regional` its using the region from the registry url for STS.
Problem:
From region us-east1 to ECR in eu-west-1.
When using AWS_STS_REGIONAL_ENDPOINTS=regional
and pulling from another region. The regional endpoint used to authenticate to STS is based on the registry url. STS should use the regional endpoint from us-east-1 not eu-west-1 where the image is based.
failed to get credential from awS: operation error ECR: GetAuthorizationToken, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRole thiebidentity, exceeded maximum number of attempts, 3, https response error StatusCode: 0, Request ID:, request send failed, Post "https://sts.eu-west-1,amazonaws. com/*:
Forbidden
See ParseRegistry https://github.com/fluxcd/pkg/blob/d15b989d113fd8c3792f19d8c0aaf31b156f552f/oci/auth/aws/auth.go#L157
Note:
When setting IRSA regional endpoints are injected for STS.
This can be disabled witth the annotation on the service-account eks.amazonaws.com/sts-regional-endpoints: "false"
.
Unfortunately we cannot override the STS endpoint used as its sourced from the registy url.
- https://github.com/aws/amazon-eks-pod-identity-webhook