Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KCL using eks node group user account instead of the service account #1110

Open
sushant3k opened this issue May 16, 2023 · 2 comments
Open

KCL using eks node group user account instead of the service account #1110

sushant3k opened this issue May 16, 2023 · 2 comments
Labels
multi lang daemon v2.x Issues related to the 2.x version

Comments

@sushant3k
Copy link

Environment:
KCL used as multilang daemon
KCL version used: 2.1.1
JDK 11
Python : 3.11

Application is deployed in EKS cluster and has got its own service account. All the necessary permissions, trust policies etc are provided and validated.
Application is configured to use DefaultAWSCredentialsProviderChain for credentials management.

However, it is seen that the application pod instead of using the configured service account, it uses the eks node groups and hence fails on the authorization related to multiple services.
e.g.

software.amazon.kinesis.leases.exceptions.DependencyException: software.amazon.awssdk.services.dynamodb.model.DynamoDbException: User: arn:aws:sts::181148949657:assumed-role/eks-node-group-nodes/i-04120735db66d8dde is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:181148949657:table/alarminator because no identity-based policy allows the dynamodb:CreateTable action (Service: DynamoDb, Status Code: 400, Request ID: C8GJT9E3SATSQE54O8NG4MTD0RVV4KQNSO5AEMVJF66Q9ASUAAJG)
at software.amazon.kinesis.leases.dynamodb.DynamoDBLeaseRefresher.createTableIfNotExists(DynamoDBLeaseRefresher.java:226)
at software.amazon.kinesis.leases.dynamodb.DynamoDBLeaseRefresher.createLeaseTableIfNotExists(DynamoDBLeaseRefresher.java:191)
at software.amazon.kinesis.leases.dynamodb.DynamoDBLeaseCoordinator.initialize(DynamoDBLeaseCoordinator.java:215)
at software.amazon.kinesis.coordinator.Scheduler.initialize(Scheduler.java:349)
at software.amazon.kinesis.coordinator.Scheduler.run(Scheduler.java:322)
at software.amazon.kinesis.multilang.MultiLangDaemon$MultiLangRunner.call(MultiLangDaemon.java:95)
at software.amazon.kinesis.multilang.MultiLangDaemon$MultiLangRunner.call(MultiLangDaemon.java:86)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
@stair-aws stair-aws added multi lang daemon v2.x Issues related to the 2.x version labels May 17, 2023
@mark-k4
Copy link

mark-k4 commented May 18, 2023

Ran into the same issue using node w/ aws-kcl which bootstraps the multilang daemon. Only thing missing was the aws-java-sdk-sts dependency (also set to the same version as aws-java-sdk-core), once we added that to the bootstraper's pom.xml file, everything started working. Hope that helps.

@Fs02
Copy link

Fs02 commented Jun 22, 2023

Run the same issue too, adding aws-java-sdk-sts doesnt help

@richardwu richardwu mentioned this issue Sep 19, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
multi lang daemon v2.x Issues related to the 2.x version
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sushant3k @Fs02 @mark-k4 @stair-aws