Any Possibilities by using IAM role based authentication

[cravi-aws20]

This is working only while passing "S3_Access_Key" & "S3_Secret_Key". But is there any possibilities to avoid these inputs and do it through IAM-Role based authentication in Native Kubernetes Cluster(non EKS).

We are passing the IAM role with STS permissions here, and we are able to get the S3 Buckets inside of the Kubernetes POD by passing the command(aws s3 ls <> and here we installed aws-cli on the image) but with this we couldn't get the same on URL endpoint. Because the scripts are using the "S3_Access_Key" & "S3_Secret_Key".

So is there any possibilities with this above?

[dekobon]

Hi @cravi-aws20,

Are you able to use the instance profile credential authentication method as described here?

I'm not much of an AWS IAM/permissions expert, so it would be helpful if you could describe how what you are trying to do differs from what is supported as described in the linked docs.

[dekobon]

I just noticed that there is another discussion thread going about this. If you are in a non-EKS k8s instance, I think you can use the Running in EC2 With an IAM Policy method, but you will need to configure the response hop limit.

[cravi-aws20]

But we have already as full working cluster in native K8S, we have created cluster instances in AWS EC2 Instances. Also this method you are referring seems applying ECS methods. So we cannot use this method, hence we have asked the solution.

Is there any ways to define IAM roles instead of Access Keys & Secret Keys in the scripts? As our org policy says we cannot use any specific user account for creating this Access Key & Secret key in the AWS.

[dekobon]

Please excuse my misunderstandings as I do not have a lot of expertise here. It may take us a while to get to exactly what the integration point is.

If I am understanding correctly, you are running k8s in EC2 instances and are not using EKS at all. If so, I suspect that the method we use for authenticating using an instance profile credential will work. Let me explain my thinking and please point out where the problem is.

When the gateway container start's it attempts to contact the AWS magic IP for metadata information. If that IP returns credential information, then we use that information for the gateway. Our check looks like this:

curl --output /dev/null --silent --head --fail --connect-timeout 2 "http://169.254.169.254"

This step won't work if you are running in a container on an EC2 instance unless you configure the metadata settings to increase the hop setting to 3+. Typically you would have to do something like this:

aws ec2 modify-instance-metadata-options --instance-id <instance id> \
    --http-put-response-hop-limit 3 --http-endpoint enabled

Now for your k8s cluster, if you set it up using Terraform, Pulumi, or another infrastructure as code tool, you would use that tool to make that setting change for each EC2 instance you have provisioned for k8s. You might also be able to do this in your instance template settings.

Once those settings are in place, then you could run the gateway container on the k8s cluster and omit the S3_ACCESS_KEY_ID and S3_SECRET_KEY environment variables. You may also need to set JS_TRUSTED_CERT_PATH (search our issues for more info).

I hope this helps. I'm going to be away until the Dec 12th, so unfortunately I won't be able to reply until then.

[cravi-aws20]

Thanks for your answer. However we do not required to communicate through EC2 Instance (as we have to EC2 instance profile settings here) and we required to give IAM role permission to kubernetes cluster which should bring the results.

Here we tried to get the list by executing "aws s3 ls" command inside of the POD container and it is working(without S3_access_key & S3_secret_key and by passing role permissions to kubernetes ) but we couldn't get this on the endpoint URL because the script was not running without the variables).

So is there any way to get this?