-
Notifications
You must be signed in to change notification settings - Fork 330
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAM AssumedRole doesn't work in ECS #243
Comments
We don't do anything fancy, we only use the basic SDK. |
I reported this in the aws-sdk-java issues. See the workaround I noted there if anyone else runs into this. |
I ran into this too, deploying into a kubernetes pod, using docker image prom/cloudwatch-exporter:cloudwatch_exporter-0.6.0 role kops-node has a policy including role prom-exporter has a policy including role prom-exporter has a trust relationship that includes I can run
(*: I admit the |
I have the same problem on EKS and version The env vars on the pod are correct:
But it still tries to assume the role from instance instead. I will chase it up with the SDK. |
Did you run as The official chart run as nobody by default: https://github.com/helm/charts/blob/master/stable/prometheus-cloudwatch-exporter/values.yaml#L200
Just remove it, will make process run as root, then works. |
Good find @monsterxx03 Here's the Kubernetes issue for this problem: kubernetes/kubernetes#82573 Abd here's a workaround: kubernetes-sigs/external-dns#1185 Add this for the k8s pod/deployment:
I'll test it and make a PR for the cloudwatch exporter chart EDIT: No PR required, just set this in k8s chart values:
I don't know how that works for ECS though. |
Have you managed to get IRSA working with this approach? I've set these values and am able to access the projected token file from inside the pod (as See also #248 and #263 for SDK updates. Updating to 1.11.704 or higher should have been sufficient to address the provider priority issue. |
Yes. It works for us in 7 different EKS clusters. But remember you need the correct annotation and assume role policy on the role. And correct namespace etc. |
Thanks! Upon further investigation I can see I was confused and the exporter ( |
Sounds like this was all fixed already then. |
Hi. I can't tell if this is an issue with cloudwatch_exporter, or the underlying AWS Java SDK.
I'm trying to run the prom/cloudwatch-exporter:cloudwatch_exporter-0.7.0 Docker container on AWS ECS. The ECS Service is using an IAM Role Policy which includes the permissions:
The following error occurs when starting the exporter:
It seems as if the assumed IAM Role attached to the container is not honored correctly.
I then tried adding the same IAM Role policy permissions noted above to the underlying EC2 host's IAM Role, and ran the exporter directly on the EC2 instance. This starts cleanly.
Is the issue regarding assumed roles in an ECS container an issue with prom/cloudwatch-exporter, or the underlying Java AWS SDK? Is anyone successfully running the prom/cloudwatch-exporter Docker container in ECS, and perhaps I've just got something misconfigured?
Thanks in advance.
The text was updated successfully, but these errors were encountered: