You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The documentation for configuring instance metadata authentication for Couchbase Operator Backup (link) IHMO is unclear on whether providing the secret is always necessary. The primary advantage of using IAM roles (specifically roles/iam.workloadIdentityUser) as you can see (here) is to avoid the need for secrets. Thus, if using a secret is mandatory, it shows for me that contradicts the purpose of IAM roles.
Furthermore, the instance metadata authentication option does not function as expected. I attempted this with the latest release couchbase/operator-backup:1.3.8.
Steps to Reproduce
Use the service account serviceAccountName: couchbase-backup.
Bind the Service Account to Workload Identity.
Create roles for roles/storage.objectCreator and roles/storage.objectViewer.
Please clarify the documentation regarding the necessity of secrets when using IAM roles. Additionally, provide a resolution for the failure observed during instance metadata authentication.
The text was updated successfully, but these errors were encountered:
camilamacedo86
changed the title
Google Cloud Cloud Storage integration to store backups in the buckets using IAM (roles/iam.workloadIdentityUser) does not work
Clarification and Failure of Instance Metadata Authentication for Couchbase Operator Backup
May 24, 2024
I could make it work by doing some changes manually.
Following the suggestions to sort it out:
a) The CRD CouchbaseBackup need a spec for we are able to add the the required annotation to grant the IAM permissions to the ServiceAccount: (Also, the HelmChart needs allow us to provide the annotation via the values)
b) It would either helpful allow we create the serviceaccount manually if we wish to do so instead of always created it with the operator
c) The docs are missing examples about how to configure it and the required permissions. I need to grant all the following ones to check it working. Could you please clarify what permissions should be required?
Description
The documentation for configuring instance metadata authentication for Couchbase Operator Backup (link) IHMO is unclear on whether providing the secret is always necessary. The primary advantage of using IAM roles (specifically
roles/iam.workloadIdentityUser
) as you can see (here) is to avoid the need for secrets. Thus, if using a secret is mandatory, it shows for me that contradicts the purpose of IAM roles.Furthermore, the instance metadata authentication option does not function as expected. I attempted this with the latest release
couchbase/operator-backup:1.3.8
.Steps to Reproduce
serviceAccountName: couchbase-backup
.roles/storage.objectCreator
androles/storage.objectViewer
.[Errno 13] Permission denied: '/data/scriptlogs'
faced when try to use the backup option #126 (comment).Observed Behavior
The job fails to connect to the API, producing the following log output:
Expected Behavior
The backup job should successfully connect to the API and perform the backup without requiring a secret when using IAM roles.
Additional Information
Configuration
Request
Please clarify the documentation regarding the necessity of secrets when using IAM roles. Additionally, provide a resolution for the failure observed during instance metadata authentication.
The text was updated successfully, but these errors were encountered: