liqo icon indicating copy to clipboard operation
liqo copied to clipboard

Published 20 hours ago verified publisher icon liqotech

LIQO not working with AWS federated user (using STS Security Token Service)

Open agulhane-tibco opened this issue 2 years ago • 12 comments

What happened:

We have AWS account with federated user access. So to connect with AWS account from local machine, we use STS service but while executing "liqoctl install aws" we are receiving error. It seems there is no support from "liqoctl".

As of now I can not see any flags while installing "liqo" on AWS EKS cluster using STS in "liqoctl" command.

Error we are receiving : -sh-4.2$ liqoctl install eks --eks-cluster-region us-east-2 --eks-cluster-name federations INFO Installer initialized ERRO Error retrieving provider specific configuration: failed retrieving cluster information: unable to get cluste status code: 403, request id: ffde161b-f549

What you expected to happen:

AWS federated user should be able to connect using STS while executing "liqoctl install aws".

How to reproduce it (as minimally and precisely as possible):

  1. Login the AWS federated user using STS.
  2. Create EKS cluster
  3. Try to deploy "liqo using liqoctl command
  4. We are using above command.

Anything else we need to know?:

Environment:

  • Liqo version: v0.5.4
  • Kubernetes version (use kubectl version): v1.22 / v1.23
  • Cloud provider or hardware configuration: AWS Federated user
  • Network plugin and version: Kubenet
  • Install tools: liqoctl
  • Others:

agulhane-tibco avatar Sep 05 '22 05:09 agulhane-tibco

Any update here?

agulhane-tibco avatar Sep 08 '22 11:09 agulhane-tibco

Hi @agulhane-tibco! Sorry for the late answer.

The AWS STS service is not supported currently, you can install liqo by using helm

Make sure to set:

  • the pod and service CIDRs for your cluster accordingly
  • the cluster name in discovery.config.clusterName
  • the service.beta.kubernetes.io/aws-load-balancer-type: nlb annotation in gateway.service.annotations
  • the awsConfig values with an access id for a user with permission on iam:CreateUser, iam:CreateAccessKey, and eks:DescribeCluster, required to give the required access to the local API server to remote clusters

aleoli avatar Sep 08 '22 13:09 aleoli

Thanks @aleoli for the response. But can you confirm that in future, AWS STS service support will be included or not?

agulhane-tibco avatar Sep 08 '22 13:09 agulhane-tibco

We should investigate better which is the blocker here. Yet, this is not currently high on our priority list since it is only related to liqoctl install and a workaround exists, unless there is a strong demand from the community

aleoli avatar Sep 08 '22 14:09 aleoli

Thanks @aleoli for the response. But can you confirm that in future, AWS STS service support will be included or not?

@agulhane-tibco It depends on the requests coming from the community, and the support we get from interested partners :-)

frisso avatar Sep 11 '22 11:09 frisso

Hi @aleoli, we tried out the solution which you have provided to Aniket, however it fails to connect to another cluster having liqo installed, below is the error we are getting E0912 17:36:23.296209 1 foreign-cluster-controller.go:219] InvalidClientTokenId: The security token included in the request is invalid. status code: 403, request id: xxxxxx-xxxx-xxx-xxxx-xxxxxxxx

saushind-tibco avatar Sep 12 '22 17:09 saushind-tibco

Hi @saushind-tibco! It seems that the other cluster (the remote one) is not able to sign a request to the AWS APIs. Can you check the logs of the AuthService in the other cluster and that the AWS IAM keys provided to the remote cluster are valid?

aleoli avatar Sep 13 '22 06:09 aleoli

Hi @aleoli , Do liqo create new users for further processing? as our infrastructure is build on STS, our account do not have any provision of creating any new users. is there any workaround to use roles instead of relying on users to be created?

saushind-tibco avatar Sep 15 '22 09:09 saushind-tibco

Hi @saushind-tibco! At the moment, the IAM user creation is required, we have to investigate deeper the ways to authenticate remote clusters.

aleoli avatar Sep 19 '22 07:09 aleoli

Hi @aleoli We have a limitation providing user creation access to the IAM user, is there any other way we can use it, like pass on a pre-created user that Liqo would use to authenticate the remote cluster?

saushind-tibco avatar Oct 11 '22 05:10 saushind-tibco

No, at the moment no other mechanism is currently supported, but we are open to suggestions and contributions from the community to provide it in a future release

aleoli avatar Oct 13 '22 08:10 aleoli

@agulhane-tibco I am also using STS and with the 0.6.0, I am able to install liqoctl install eks --eks-cluster-region=ap-south-1 --eks-cluster-name=external --cluster-labels=workload=high as well as establish out-of-bound peering.

The IAM role you are assuming is going to be used to create a liqo-user, since liqo doesn't support IRSA yet. All peering will happen using the same user.

If you are still blocked feel free to ping me on slack.

rverma-dev avatar Dec 02 '22 05:12 rverma-dev