milvus icon indicating copy to clipboard operation
milvus copied to clipboard

Published 20 hours ago verified publisher icon milvus-io

[Bug]: s3 with iam role not available,Access Denied

Open zhoudayu123 opened this issue 3 years ago • 5 comments
trafficstars

Is there an existing issue for this?

  • [X] I have searched the existing issues

Environment

- Milvus version: 2.1
- Deployment mode(standalone or cluster):cluster
- SDK version(e.g. pymilvus v2.0.0rc2):
- OS(Ubuntu or CentOS): 
- CPU/Memory: 16/128
- GPU: 
- Others:

Current Behavior

minio: enabled: false

externalS3: enabled: true host: "s3.us-west-2.amazonaws.com" port: "443" useSSL: true bucketName: "mars6-prod-milvus" rootPath: "/" useIAM: true

Expected Behavior

No response

Steps To Reproduce

when i configure with ak sk,it works. but change to iam,it not work.
i'm sure that iam role is ok ,because i can access s3 by aws cli and other pod.

Milvus Log

image

Anything else?

how can i configure s3 with iam correctly?

zhoudayu123 avatar Aug 03 '22 11:08 zhoudayu123

@LoveEachDay could you please help on this issue? /assign @LoveEachDay /unassign

yanliang567 avatar Aug 03 '22 12:08 yanliang567

@zhoudayu123 Did you deploy a milvus cluster into a aws eks with s3 iam role? If so you'd create a service account which binds a iam role first. And here's a tutorial to setup iam role for eks: https://levelup.gitconnected.com/using-iam-roles-to-allow-the-pods-in-aws-eks-to-read-the-aws-s3-bucket-be493fbdda84. Take a try.

If you set up the service account, you can verify the setting using the following commands:

kubectl describe pods <milvus-pods>

You'd see the following environment variables

AWS_STS_REGIONAL_ENDPOINTS   
AWS_DEFAULT_REGION
AWS_REGION
AWS_ROLE_ARN
AWS_WEB_IDENTITY_TOKEN_FILE

injected to your milvus pod and a volume which has the sts token attached to the milvus pod.

You can take a reference from here.

LoveEachDay avatar Aug 03 '22 13:08 LoveEachDay

@zhoudayu123 please try as suggest above /assign @zhoudayu123 /unassign @LoveEachDay

yanliang567 avatar Aug 04 '22 10:08 yanliang567

/assign @zwd1208 could you help on it

xiaofan-luan avatar Aug 10 '22 15:08 xiaofan-luan

@xiaofan-luan: GitHub didn't allow me to assign the following users: it, could, you, help, on.

Note that only milvus-io members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide

In response to this:

/assign @zwd1208 could you help on it

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

sre-ci-robot avatar Aug 10 '22 15:08 sre-ci-robot

@zhoudayu123 Any news? stuck at the same point

erezweissgloat avatar Aug 18 '22 08:08 erezweissgloat

@erezweissgloat Have you setup the service account for a iam role following the above instructions?

LoveEachDay avatar Aug 19 '22 02:08 LoveEachDay

@erezweissgloat Have you setup the service account for a iam role following the above instructions?

Works now, service account defected. Thanks!!!

erezweissgloat avatar Aug 21 '22 08:08 erezweissgloat

can be closed

haorenfsa avatar Oct 29 '22 03:10 haorenfsa