triggermesh icon indicating copy to clipboard operation
triggermesh copied to clipboard

Published 20 hours ago verified publisher icon triggermesh

Cannot use iamRole on S3 source

Open ajp-lsq opened this issue 2 years ago • 2 comments

When trying to create an AWSS3Source using the auth.iamRole parameter, the triggermesh-controller pod returns the following error:

{"severity":"INFO","timestamp":"2022-07-21T15:54:27.180662781Z","logger":"triggermesh-controller.event-broadcaster","caller":"record/event.go:285","message":"Event(v1.ObjectReference{Kind:\"AWSS3Source\", Namespace
:\"triggermesh\", Name:\"etl-bankruptcy-test\", UID:\"50f49e1d-9a6f-4a3f-abaa-917288a29197\", APIVersion:\"sources.triggermesh.io/v1alpha1\", ResourceVersion:\"413496913\", FieldPath:\"\"}): type: 'Warning' reason:
 'FailedSubscribe' Error creating AWS API clients: AWS security credentials were not specified","commit":"130294b"}

This seems to me like it's still looking for the security key ID/secret and ignoring the IAM role parameter. Is there something I'm missing here?

ajp-lsq avatar Jul 21 '22 16:07 ajp-lsq

@tzununbekov

Not sure if I'm missing an earlier bit of code in the call-stack that obviates this, but it seems this if statement precludes the ability to use iamRole as an auth method: https://github.com/triggermesh/triggermesh/blob/b730544962846d5ad17cc1a87b1f43074ac5dad6/pkg/sources/client/s3/client.go#L75

ajp-lsq avatar Jul 26 '22 11:07 ajp-lsq

@ajp-lsq looks like this condition is left there because triggermesh controller still uses these credentials to access S3 API. As described in the CRD, the controller also can work with IAM role, but we'll need to update Get method to make the controller switch between IAM role (if credentials are nil and IAM annotation is set) and credential keys otherwise.

tzununbekov avatar Jul 27 '22 12:07 tzununbekov

Any news on the issue?

melkosoft avatar Oct 11 '22 21:10 melkosoft

Hey @ajp-lsq @melkosoft, We've just merged this PR https://github.com/triggermesh/triggermesh/pull/1178, fixing this issue, but as we comment on the PR, we haven't fully test this PR with a cluster with IAM role.

FranBarrera avatar Oct 20 '22 11:10 FranBarrera

do we need to build image from this code or image with changes is already in google repo? Do not have tools to build it...

melkosoft avatar Oct 25 '22 19:10 melkosoft

@melkosoft you should be able to apply the changes using the latest built manifest available via CircleCI:

https://app.circleci.com/pipelines/github/triggermesh/triggermesh/3227/workflows/5651376b-f845-41a6-a6bf-7549436604dc/jobs/8985/artifacts

You will see two YAML manifests in there that you can just kubectl apply

sebgoa avatar Oct 26 '22 07:10 sebgoa