Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provider Cannot Assume Role From EKS #423

Open
CSimpiFoN opened this issue May 23, 2024 · 1 comment
Open

Provider Cannot Assume Role From EKS #423

CSimpiFoN opened this issue May 23, 2024 · 1 comment

Comments

@CSimpiFoN
Copy link

When the provider is run in an EKS pod, with the IAM assume role setup, that works with the AWS provider too, the provider cannot use the assumed role, the following error is dropped:
* failed to load credentials: unable to assume role, {role_arn}: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 285fca36-2088-4448-b083-b61f3bc85cfe, api error AccessDenied: User: {temp_role_user} is not authorized to perform: sts:AssumeRole on resource: {role_arn}

Provider version: 0.7.1

Configuration:

provider "kafka" {
  bootstrap_servers    = try(split(",", aws_msk_cluster.kafka[0].bootstrap_brokers_sasl_iam), [])
  tls_enabled          = true
  sasl_mechanism       = "aws-iam"
  sasl_aws_region      = var.region
  sasl_aws_creds_debug = var.aws_creds_debug
}

AWS provider is able to assume the role without any issue.

I suspect the provider should work the same way as the AWS SDK, that uses the attached ServiceAccount to gather the temporary tokens to assume the role, and then to connect to MSK.
@benjefferies
Copy link

@CSimpiFoN did you find a workaround?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benjefferies @CSimpiFoN