Nike-Inc / cerberus-node-client

Node client for interacting with a Cerberus backend. It can be used in Amazon EC2 instances and Amazon Lambdas.

Home Page:http://nike-inc.github.io/cerberus

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Call to sts.getCredentials running from EKS does not pickup IRSA identity but EC2 identity

samarthmaniar opened this issue · comments

Our team has researched and we believe that the issue has something to do with the results shown below.

These two calls return different identities. When the STS object is instantiated without credentials, it picks up the IRSA identity. The problem occurs when passing credentials from fetchAWSCredentials, in that instance it picks up the ID of the worker node.

const auth = await `fetchAwsCredentials()();
const sts = new AWS.STS({region: 'us-east-1', credentials: auth})
console.log(await sts.getCallerIdentity().promise())
const sts = new AWS.STS({region: 'us-east-1'})
console.log(await sts.getCallerIdentity().promise())

Errors we're seeing in Splunk for our service look like this:

{"error_id":"f586a0d5-0bad-4927-96bb-3763cd9be375","errors":[{"code":99216,"message":"The specified IAM principal is not valid."}]}