You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Environment:
KCL used as multilang daemon
KCL version used: 2.1.1
JDK 11
Python : 3.11
Application is deployed in EKS cluster and has got its own service account. All the necessary permissions, trust policies etc are provided and validated.
Application is configured to use DefaultAWSCredentialsProviderChain for credentials management.
However, it is seen that the application pod instead of using the configured service account, it uses the eks node groups and hence fails on the authorization related to multiple services.
e.g.
software.amazon.kinesis.leases.exceptions.DependencyException: software.amazon.awssdk.services.dynamodb.model.DynamoDbException: User: arn:aws:sts::181148949657:assumed-role/eks-node-group-nodes/i-04120735db66d8dde is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:181148949657:table/alarminator because no identity-based policy allows the dynamodb:CreateTable action (Service: DynamoDb, Status Code: 400, Request ID: C8GJT9E3SATSQE54O8NG4MTD0RVV4KQNSO5AEMVJF66Q9ASUAAJG)
at software.amazon.kinesis.leases.dynamodb.DynamoDBLeaseRefresher.createTableIfNotExists(DynamoDBLeaseRefresher.java:226)
at software.amazon.kinesis.leases.dynamodb.DynamoDBLeaseRefresher.createLeaseTableIfNotExists(DynamoDBLeaseRefresher.java:191)
at software.amazon.kinesis.leases.dynamodb.DynamoDBLeaseCoordinator.initialize(DynamoDBLeaseCoordinator.java:215)
at software.amazon.kinesis.coordinator.Scheduler.initialize(Scheduler.java:349)
at software.amazon.kinesis.coordinator.Scheduler.run(Scheduler.java:322)
at software.amazon.kinesis.multilang.MultiLangDaemon$MultiLangRunner.call(MultiLangDaemon.java:95)
at software.amazon.kinesis.multilang.MultiLangDaemon$MultiLangRunner.call(MultiLangDaemon.java:86)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
The text was updated successfully, but these errors were encountered:
Ran into the same issue using node w/ aws-kcl which bootstraps the multilang daemon. Only thing missing was the aws-java-sdk-sts dependency (also set to the same version as aws-java-sdk-core), once we added that to the bootstraper's pom.xml file, everything started working. Hope that helps.
Environment:
KCL used as multilang daemon
KCL version used: 2.1.1
JDK 11
Python : 3.11
Application is deployed in EKS cluster and has got its own service account. All the necessary permissions, trust policies etc are provided and validated.
Application is configured to use DefaultAWSCredentialsProviderChain for credentials management.
However, it is seen that the application pod instead of using the configured service account, it uses the eks node groups and hence fails on the authorization related to multiple services.
e.g.
software.amazon.kinesis.leases.exceptions.DependencyException: software.amazon.awssdk.services.dynamodb.model.DynamoDbException: User: arn:aws:sts::181148949657:assumed-role/eks-node-group-nodes/i-04120735db66d8dde is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:181148949657:table/alarminator because no identity-based policy allows the dynamodb:CreateTable action (Service: DynamoDb, Status Code: 400, Request ID: C8GJT9E3SATSQE54O8NG4MTD0RVV4KQNSO5AEMVJF66Q9ASUAAJG)
at software.amazon.kinesis.leases.dynamodb.DynamoDBLeaseRefresher.createTableIfNotExists(DynamoDBLeaseRefresher.java:226)
at software.amazon.kinesis.leases.dynamodb.DynamoDBLeaseRefresher.createLeaseTableIfNotExists(DynamoDBLeaseRefresher.java:191)
at software.amazon.kinesis.leases.dynamodb.DynamoDBLeaseCoordinator.initialize(DynamoDBLeaseCoordinator.java:215)
at software.amazon.kinesis.coordinator.Scheduler.initialize(Scheduler.java:349)
at software.amazon.kinesis.coordinator.Scheduler.run(Scheduler.java:322)
at software.amazon.kinesis.multilang.MultiLangDaemon$MultiLangRunner.call(MultiLangDaemon.java:95)
at software.amazon.kinesis.multilang.MultiLangDaemon$MultiLangRunner.call(MultiLangDaemon.java:86)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
The text was updated successfully, but these errors were encountered: