如何获得使用IRSA访问S3的aw -iam-令牌?

我已经在terraform中创建了一个IRSA角色，以便K8s作业可以使用关联的服务帐户访问S3桶，但是我一直在作业中得到AccessDenied错误。

我首先在我们的EKS集群中启用IRSA，在我们的eks模块中启用enable_irsa = true。

然后我创建了一个简单的aws_iam_policy作为:

resource "aws_iam_policy" "eks_s3_access_policy" {
name = "eks_s3_access_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:*",
]
Effect   = "Allow"
Resource = "arn:aws:s3:::*"
},
]
})
}

和iam-assumable-role-with-oidc:

module "iam_assumable_role_with_oidc_for_s3_access" {
source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "~> 3.0"
create_role = true
role_name = "eks-s3-access"
role_description = "Role to access s3 bucket"
tags = { Role = "eks_s3_access_policy" }
provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
role_policy_arns = [aws_iam_policy.eks_s3_access_policy.arn]
number_of_role_policy_arns = 1
oidc_fully_qualified_subjects = ["system:serviceaccount:default:my-user"]
}

我使用Helm创建了一个K8s服务帐户，如下:

Name:                my-user
Namespace:           default
Labels:              app.kubernetes.io/managed-by=Helm
Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::111111:role/eks-s3-access
meta.helm.sh/release-name: XXXX
meta.helm.sh/release-namespace: default
Image pull secrets:  <none>
Mountable secrets:   my-user-token-kwwpq
Tokens:              my-user-token-kwwpq
Events:              <none>

最后，使用K8s API从作业模板创建作业:

apiVersion: batch/v1
kind: Job
metadata:
name: job
namespace: default
spec:
template:
spec:
serviceAccountName: my-user
containers:
- name: {{ .Chart.Name }}
env:
- name: AWS_ROLE_ARN
value: arn:aws:iam::746181457053:role/eks-s3-access
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
volumeMounts:
- mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
name: aws-iam-token
readOnly: true
volumes:
- name: aws-iam-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: sts.amazonaws.com
expirationSeconds: 86400
path: token

但是，当作业尝试获取指定的凭据时，指定的令牌不存在:

2021-08-03 18:02:41  Refreshing temporary credentials failed during mandatory refresh period.
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/aiobotocore/credentials.py", line 291, in _protected_refresh
metadata = await self._refresh_using()
File "/usr/local/lib/python3.7/site-packages/aiobotocore/credentials.py", line 345, in fetch_credentials
return await self._get_cached_credentials()
File "/usr/local/lib/python3.7/site-packages/aiobotocore/credentials.py", line 355, in _get_cached_credentials
response = await self._get_credentials()
File "/usr/local/lib/python3.7/site-packages/aiobotocore/credentials.py", line 410, in _get_credentials
kwargs = self._assume_role_kwargs()
File "/usr/local/lib/python3.7/site-packages/aiobotocore/credentials.py", line 420, in _assume_role_kwargs
identity_token = self._web_identity_token_loader()
File "/usr/local/lib/python3.7/site-packages/botocore/utils.py", line 2365, in __call__
with self._open(self._web_identity_token_path) as token_file:
FileNotFoundError: [Errno 2] No such file or directory: '/var/run/secrets/eks.amazonaws.com/serviceaccount/token'

根据https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/中描述的内容，webhook通常在创建pod时创建这些凭据。然而，由于我们是在k8s集群中按需创建新的k8s作业，我怀疑webhook没有创建任何这样的凭据。

如何请求从K8s集群中创建正确的凭据?有没有办法从集群内实例化webhook ?

有几件事可能会导致失败。

检查IRSA角色的所有设置。对于信任关系设置，请检查命名空间名称和服务帐户名称是否正确。只有当这些设置与角色匹配时才能被假定。
当pod运行时，尝试使用shell访问pod。查看"AWS_*"内容环境变量。检查AWS_ROLE_ARN是否指向正确的角色。检查AWS_WEB_IDENTITY_TOKEN_FILE所指向的文件是否在它的位置并且是可读的。只是尝试做一个cat文件，看看它是否可读。
如果您以非root用户运行pod(出于安全原因，建议这样做)，请确保运行pod的用户有权访问该文件。如果不一致，请调整该pod的securityContext。也许fsGroup的设置可以在这里提供帮助。https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/安全上下文
确保您的pos使用的SDK支持IRSA。如果您使用的是较旧的sdk，则可能不支持IRSA。查看IRSA文档了解支持的SDK版本。https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html

相关内容

最新更新

热门标签：