Use assume role with web identity in order to use iam role for service account in EKS

Question

Use assume role with web identity in order to use iam role for service account in EKS

Kent1 opened this issue 4 years ago · comments

Please specify whether your issue is about:

a possible bug
a question about package functionality
a suggested code or documentation change, improvement to the code, or feature request

We do have jupyterhub running in EKS. Each jupyter pods uses iam role for service account in order to have access to s3, etc. That works fine with python boto3 and awscli.

However, in R, the only thing i see is the role attached to the worker node, which is not the correct role.

Is there a way to use the same authentication mechanism than awscli or boto3 ? If not, is there a way to use assume role with webidentity ?

Put your code here:

## load package
library("aws.s3")
library("aws.signature")
library("aws.iam")

## code goes here

> get_caller_identity()

$Account  '012345678910'
$Arn  'arn:aws:sts::012345678910:assumed-role/eks-node-group-dev040/i-01adcd0b33f520bf9'
$UserId  'AROAQT5SGVC3YD227SYGI:i-01adcd0b33f520bf9'

> assume_role("arn:aws:iam::01234567810:role/terraform/jupyterhub/dev040-jupyterhub", "test", use=TRUE, key=NULL, secret=NULL, session_token="eyJhbGciOiJSUzI....")

Warning message in stsHTTP(query = query, ...):
“Forbidden (HTTP 403).”
List of 3
 $ Code   : chr "AccessDenied"
 $ Message: chr "User: arn:aws:sts::01234567810:assumed-role/eks-node-group-dev040/i-01adcd0b33f520bf9 is not authorized to per"| __truncated__


## session info for your system
sessionInfo()
R version 4.0.3 (2020-10-10)
Platform: x86_64-conda-linux-gnu (64-bit)
Running under: Ubuntu 20.04.1 LTS

Matrix products: default
BLAS/LAPACK: /opt/conda/lib/libopenblasp-r0.3.12.so

locale:
 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C              
 [3] LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8    
 [5] LC_MONETARY=en_US.UTF-8    LC_MESSAGES=en_US.UTF-8   
 [7] LC_PAPER=en_US.UTF-8       LC_NAME=C                 
 [9] LC_ADDRESS=C               LC_TELEPHONE=C            
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C       

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

other attached packages:
[1] aws.iam_0.1.8       aws.signature_0.6.0 aws.s3_0.3.21      

loaded via a namespace (and not attached):
 [1] aws.ec2metadata_0.2.0 digest_0.6.27         crayon_1.3.4         
 [4] IRdisplay_0.7.0       R6_2.5.0              repr_1.1.0           
 [7] lifecycle_0.2.0       jsonlite_1.7.1        evaluate_0.14        
[10] httr_1.4.2            pillar_1.4.7          rlang_0.4.9          
[13] curl_4.3              uuid_0.1-4            xml2_1.3.2           
[16] ellipsis_0.3.1        IRkernel_1.1.1        tools_4.0.3          
[19] compiler_4.0.3        base64enc_0.1-3       htmltools_0.5.0      
[22] pbdZMQ_0.3-3.1

mohamedimranveeva · Answer 1 · Thu Feb 09 2023 14:42:55 GMT+0800 (China Standard Time)

@Kent1 hi did you manage to work around this issue? i am having a same problem. please update. thanks

Quentin Loos · Answer 2 · Thu Mar 02 2023 16:10:29 GMT+0800 (China Standard Time)

I can't remember sorry. I was helping some dev with R code, but I am not an R dev myself.

Joshua Spiewak · Answer 3 · Wed Aug 02 2023 05:56:21 GMT+0800 (China Standard Time)

See cloudyr/aws.signature#62 and cloudyr/aws.signature#63
Looks like support is written, but not released.