1
votes

I've followed all of the steps described here, and when I run the exec command I see the role:

kubectl exec -n bn bn-query-service-deployment-7649b5cd45-fdptw env | grep AWS
AWS_ROLE_ARN=arn:aws:iam::1111111:role/eksctl-playground-addon-iamserviceaccount-bn-b-Role1-HSIN6D1SKE7T
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

But my container still fails to load:

Caused by: com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), com.amazonaws.auth.profile.ProfileCredentialsProvider@5ddeb7cb: profile file cannot be null, WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@33ecda92: Unable to load credentials from service endpoint]

What else should I check? What might I be missing?

1
On EKS fargate pods, I do find AWS_ROLE_ARN and the AWS_WEB_IDENTITY_TOKEN_FILE, but using the CLI I can for example not list dynamo tables.. the CLI just hangs.. what is required to test the role with the CLI on the pod? Did you manage to get that working @Vladimir?thomas

1 Answers

2
votes

I figured it out. I had to include the aws-java-sdk-sts module: compile group: 'com.amazonaws', name: 'aws-java-sdk-sts', version: '1.11.699'

Including the newer SDK's sts module didn't work: compile group: 'software.amazon.awssdk', name: 'sts', version: '2.10.40'