Support for IAM Roles for Service Accounts for EKS #1314
-
Is your feature request related to a problem? Please describe. Additional context |
Beta Was this translation helpful? Give feedback.
Replies: 12 comments 1 reply
-
I think the S3 output now has all the needed properties. Since the last release we added all the missing auth configs to cloudwatch output #273 .You can change the fluentd service account if you want. I'm going to close this ticket, but if you are missing anything please reopen it, and let us know. |
Beta Was this translation helpful? Give feedback.
-
@ahma I couldn't test it, but I checked #273, I'm not proficient with go, but I can see support for assume instance role is there, which the pod can inherit from node. But this issue is about kubernetes service account integration with AWS IAM roles. In short we do following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "${OIDC_ARN}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_URL}:sub": "system:serviceaccount:${NAMESPACE}:${SA_NAME}"
}
}
}
]
}
Then EKS automatically adds |
Beta Was this translation helpful? Give feedback.
-
Thanks @sudip-moengage , I will look into this. -> reopen |
Beta Was this translation helpful? Give feedback.
-
@sudip-moengage In this case you can annotate the SA If you annotate the fluentd/fluentdbit resources Docs |
Beta Was this translation helpful? Give feedback.
-
@ahma Yes, I can annotate but, the SDK fluentd uses, does it support |
Beta Was this translation helpful? Give feedback.
-
Hi @sudip-moengage, the root cause for this issue is that the AWS Ruby SDK in the latest Please follow fluent/fluent-plugin-s3#301 for further details. Once that plugin gets updated with a more up-to-date AWS Ruby SDK this will work automagically in more recent release of that plugin. We can't solve this issue from the logging-operator, so I'm closing this now. |
Beta Was this translation helpful? Give feedback.
-
@sudip-moengage just submitted fluent/fluent-plugin-s3#305 to resolve the issue upstream, I hope it gets merged soon enough 🙂 |
Beta Was this translation helpful? Give feedback.
-
Correct me if I'm wrong, but I don't think the CRD supports annotating the ServiceAccount for fluentd; it only allows annotations on the fluentd pods themselves, or naming a different SA. |
Beta Was this translation helpful? Give feedback.
-
@gregorygtseng seems that you are right. Having annotation set as |
Beta Was this translation helpful? Give feedback.
-
no, currently you cannot |
Beta Was this translation helpful? Give feedback.
-
@pepov thanks for prompt reply |
Beta Was this translation helpful? Give feedback.
-
Need help understanding what the conclusion is here. Is assuming roles via web identity token supported? Does it work for anyone? If so, would you mind sharing an example working config? |
Beta Was this translation helpful? Give feedback.
Although I don't have a complete example to show you, but the conclusion is, that yes it should work.
Once you go through the steps of setting up IAM Roles for Service Accounts there is one item that needs to be done on the operator side, which is annotating the fluentd service account.
For that you need a config similar to this in your logging resource:
This will merge the above annotation into the existing ones.