Call to sts.getCredentials running from EKS does not pickup IRSA identity but EC2 identity
samarthmaniar opened this issue · comments
Samarth Maniar commented
Our team has researched and we believe that the issue has something to do with the results shown below.
These two calls return different identities. When the STS
object is instantiated without credentials, it picks up the IRSA identity. The problem occurs when passing credentials from fetchAWSCredentials
, in that instance it picks up the ID of the worker node.
const auth = await `fetchAwsCredentials()();
const sts = new AWS.STS({region: 'us-east-1', credentials: auth})
console.log(await sts.getCallerIdentity().promise())
const sts = new AWS.STS({region: 'us-east-1'})
console.log(await sts.getCallerIdentity().promise())
Errors we're seeing in Splunk for our service look like this:
{"error_id":"f586a0d5-0bad-4927-96bb-3763cd9be375","errors":[{"code":99216,"message":"The specified IAM principal is not valid."}]}