Aws sdk从eks而不是ec2 获取实例凭据
我使用spring-cloud-aws向sns发送消息,并且本地凭据链与.aws/credentials文件配合良好。然而,在云端,这并不是那么容易。
对于云部署,我们将IAM角色用于服务帐户。在SDK文档中,如果找不到其他凭据链,则凭据链将承担此角色。
这将是一种简单的方法,但这并没有发生,当spring启动时,它以某种方式承担了分配给节点eks的角色,理论上它甚至不应该填充,这是不正确的,并且在我使用sns时会导致权限错误。
software.amazon.awssdk.services.sns.model.AuthorizationErrorException: User: arn:aws:sts::*******:assumed-role/eksctl-*******-eks-qa-nodegroup-spo-NodeInstanceRole-*******/i-******* is not authorized to perform: SNS:ListTopics
我已经尝试了几种方法,包括
@Bean
@Primary
public AmazonSNS amazonSns() {
return AmazonSNSClientBuilder.standard()
.withCredentials(new InstanceProfileCredentialsProvider())
.build();
}
cloud:
aws:
credentials:
use-default-aws-credentials-chain: true
以及其他一些。
我隔离了这个错误,由sdk v1负责。我上传了一个带有纯sdk v2的代码版本,没有修改环境中的任何内容,它正常工作,使用凭证链并获得正确的角色。
我已经检查了这个答案,spring使用的版本是1.11.951,对于纯sdk,我使用的是1.12.142。文档的最低版本是1.11.704
使用纯sdk v2有点费力,而且没有必要。如果spring已经提供了这种实现,它将在spring cloud aws V3.0 中默认使用它
我的等级构建
plugins {
id 'org.springframework.boot' version '2.6.2'
id 'io.spring.dependency-management' version '1.0.11.RELEASE'
id 'java'
}
group = 'com.multilaser.worker'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '17'
ext {
set('springCloudVersionAws', "2.3.2")
}
repositories {
mavenCentral()
mavenLocal()
}
configurations {
compileOnly {
extendsFrom annotationProcessor
}
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
implementation 'io.awspring.cloud:spring-cloud-starter-aws'
implementation 'io.awspring.cloud:spring-cloud-starter-aws-messaging'
implementation 'io.awspring.cloud:spring-cloud-aws-autoconfigure'
compileOnly 'org.projectlombok:lombok'
annotationProcessor 'org.projectlombok:lombok'
implementation 'org.springframework.boot:spring-boot-starter-actuator'
annotationProcessor 'org.mapstruct:mapstruct-processor:1.4.2.Final'
}
dependencyManagement {
imports {
mavenBom "io.awspring.cloud:spring-cloud-aws-dependencies:${springCloudVersionAws}"
}
}
depoy.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ----
namespace: ---
labels:
app: ---
spec:
replicas: 1
selector:
matchLabels:
app: ---
template:
metadata:
labels:
app: ---
spec:
serviceAccountName: ----
containers:
- name: ---
image: ---
imagePullPolicy: Always
resources:
requests:
memory: "256Mi"
cpu: "80m"
limits:
memory: "800Mi"
cpu: "500m"
readinessProbe:
failureThreshold: 3
httpGet:
path: /actuator/health
port: 8080
httpHeaders:
- name: X-Custom-Header
value: ReadinessProbe
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
livenessProbe:
failureThreshold: 3
httpGet:
path: /actuator/health
port: 8080
httpHeaders:
- name: X-Custom-Header
value: LivenessProbe
initialDelaySeconds: 35
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 10
envFrom:
- configMapRef:
name: ---
- secretRef:
name: ---
ports:
- containerPort: 8080
- containerPort: 5005
在项目中添加lib aws java sdk sts解决了问题
implementation group: 'com.amazonaws', name: 'aws-java-sdk-sts', version: '1.11.951'