3

Actually, I use kubernetes service accounts mostly with NodeJS, and this works fine, but I have this one service made in Go and I can't seem to make it work with service accounts (I know that the service account is correctly configured because I tested it with a pod).

I'm using this lib https://github.com/aws/aws-sdk-go

Up till now I tried this:

  sess := session.Must(session.NewSession())

  creds := stscreds.NewCredentials(sess, os.Getenv("AWS_ROLE_ARN"))

  svc := s3.New(sess, &aws.Config{Credentials: creds})

And also this (just in case):

  region := os.Getenv("AMAZON_REGION")
  sess := session.Must(session.NewSession(&aws.Config{Region: &region}))

  svc := s3.New(sess)

for the first case I got the following error:

AccessDenied: User: arn:aws:sts::xxxxxxxx:assumed-role/staging-worker-node/i-0xxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxx:role/EKSServiceAccount-app

and for the second case, I got a generic permission error.

I read the docs and tried a few things more (that may not be relevant here), but I can't see to make it work, maybe because I don't have much experience with golang.

David Nithael Torres Lima
  • 445
  • 2
  • 10

1 Answers1

1

There are a few things you can try to get your Go service to work with service accounts on Kubernetes:

Verify that your Go service is properly configured to use the Kubernetes service account. This can be done by checking that the service account is correctly mounted as a volume in the pod definition and that the service is able to read the credentials from the volume.

Make sure that the AWS SDK for Go you are using (https://github.com/aws/aws-sdk-go) is configured to use the correct credentials. The SDK supports several methods for providing credentials, including environment variables, shared credentials file, and IAM roles.

You can try using the k8s.io/client-go library instead of the AWS SDK for Go, this will help you to use the Kubernetes service account to authenticate with the Kubernetes API and obtain the required credentials for the AWS SDK.

If you are using the Kubernetes service account to authenticate with an external service such as AWS, you may also need to configure an IAM role that allows the service account to access the necessary resources.

Double check that your Go service is correctly using the Kubernetes service account token and is passing it along as an authentication token to the AWS SDK.

You can also try to use the k8s.io/client-go library to get the secret and use it in your go code.

Laith Leo Alobaidy
  • 377
  • 2
  • 8