Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Client not pickingup correct role on EKS node with ServiceAccount applied.

See original GitHub issue

Describe the bug

Appear to be using the wrong role/credentials with a service account

I have a role bound to a Kubernetes Service account on EKS, which when applied to a pod is setting the following environment variables:

AWS_DEFAULT_REGION: us-east-2
AWS_REGION: us-east-2
AWS_ROLE_ARN: arn:aws:iam::202058804932:role/eksctl-node-red-addon-iamserviceaccount-defa-Role1-16K0LE4QTM51J
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token

Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:CreateAccessPoint",
                "elasticfilesystem:DeleteAccessPoint"
            ],
            "Resource": "*"
        }
    ]
}

It looks like the client is picking up the generic role, not the one being passed in from the service account.

Your environment

SDK version number

@aws-sdk/client-efs@3.14.0

Is the issue in the browser/Node.js/ReactNative?

Node.js

Details of the browser/Node.js/ReactNative version

/usr/src/app # node -v
v12.20.1

Steps to reproduce

I followed these instructions to set up a policy/role/ServiceAccount mapping:

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

I run the following code:

const Storage = require('./storage.js`)
const storage = new Storage("us-east-2", "fs-xxxxxx")
stroage.CreateAccessPoint("foo")

Where storage.js is:

const { EFSClient, 
	DescribeAccessPointsCommand,
	CreateAccessPointCommand,
	DeleteAccessPointCommand } = require('@aws-sdk/client-efs')

function Storage(fsID, region) {
	this._fsID = fsID
	this._efsClient = new EFSClient()
}

Storage.prototype.CreateAccessPoint = function(name){
	const params = {
		FileSystemId: this._fsID,
		PosixUser: {
			Uid: 1000,
			Gid: 1000
		},
		RootDirectory: {
			Path: "/"+ name,
			CreationInfo: {
				OwnerUid: 1000,
				OwnerGid: 1000,
				Permissions: "755"
			}
		},
		Tags: [
			{Key: "Name", Value: name+"-ap"}
		]
	}

	const apCommand = new CreateAccessPointCommand(params)
	return this._efsClient.send(apCommand)
}

Storage.prototype.DeleteAccessPoint = function(name){
	const params = {
		FileSystemId: this._fsID
	}
	const describeCommand = new DescribeAccessPointsCommand(params)
	return this._efsClient.send(describeCommand)
	.then(aps => {
		if (aps) {
			for (var i=0; i<aps.AccessPoints.length; i++) {
				let ap = aps.AccessPoints[i]
				if (ap.Name == name + "-ap" ) {
					const delParam = {
						AccessPointId: ap.AccessPointId
					}
					const delCommand = new DeleteAccessPointCommand(delParam)
					return this._efsClient.send(delCommand)
				}
			}
		}
	})
}


module.exports = Storage

I’ve tried with both as is, and with passing {region: region} to the client constructor.

Observed behavior

I get the following error

AccessDeniedException: User: arn:aws:sts::202058804932:assumed-role/eksctl-node-red-nodegroup-ng-0fe4-NodeInstanceRole-1ROIX18NYR233/i-0ee6c7874944f5784 is not authorized to perform: elasticfilesystem:CreateAccessPoint on the specified resource
    at deserializeAws_restJson1CreateAccessPointCommandError (/usr/src/app/node_modules/@aws-sdk/client-efs/dist/cjs/protocols/Aws_restJson1.js:857:41)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async /usr/src/app/node_modules/@aws-sdk/middleware-serde/dist/cjs/deserializerMiddleware.js:6:20
    at async /usr/src/app/node_modules/@aws-sdk/middleware-signing/dist/cjs/middleware.js:12:24
    at async StandardRetryStrategy.retry (/usr/src/app/node_modules/@aws-sdk/middleware-retry/dist/cjs/defaultStrategy.js:56:46)
    at async /usr/src/app/node_modules/@aws-sdk/middleware-logger/dist/cjs/loggerMiddleware.js:6:22 {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 403,
    requestId: '1f8d9d8e-fe6b-4479-9452-94aaabea22ac',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  }
}

Expected behavior

I expect the code to be able to create the EFS AccessPoint

Screenshots

Additional context

Add any other context about the problem here.

Issue Analytics

State:
Created 2 years ago
Comments:13

Top GitHub Comments

4reactions

hardillbcommented, May 11, 2021

v3.15 looks to be working.

Thanks.

Can I suggest an update to the EKS docs (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html) to point to the right version please.

0reactions

github-actions[bot]commented, Jun 22, 2022

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.