Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update docker image? #65

Open
jcpetruzza opened this issue Mar 12, 2020 · 10 comments
Open

Update docker image? #65

jcpetruzza opened this issue Mar 12, 2020 · 10 comments

Comments

@jcpetruzza
Copy link

The latest official docker image (0.9) appears to be a year old. Since then, the aws-sdk-go has added support for assuming roles via webtokens. This is necessary in order to run aws-es-proxy on kubernetes via AWS EKS using the native support for IAM roles.

Building against a newer version of aws-sdk-go should be enough to support this, I think, so creating a new official image could be a good idea?
@jcpetruzza
Copy link
Author

Just saw #61 which would need to be merged first!

@abutaha
Copy link
Owner

abutaha commented Mar 22, 2020

Will have a look and update the docker image.

@jcpetruzza
Copy link
Author

Thanks! Since you are on it, would you consider merging #40 as well? We are using using aws-es-proxy via the fluentd-elasticsearch helm chart on EKS, and had to end up using a custom image with both #61 and #40 applied. The latter was to actually see some errors when the IAM role was misconfigured! 😄

@abutaha
Copy link
Owner

abutaha commented Apr 3, 2020

This has been fixed in the new commit to master today. I will soon release a new docker image containing the latest code.

@ojundt
Copy link

ojundt commented Jun 1, 2020

Having IRSA support would be great! Any news on integrating that feature?

@codyja
Copy link

codyja commented Jun 8, 2020

Would like to give this a try with the later aws-sdk-go version that supports IAM on EKS. Thanks!

@abutaha
Copy link
Owner

abutaha commented Jun 8, 2020

@ojundt version 1.1 has IRSA included, can you give it a try?
@codyja I'm using aws-sdk-go v1.30.4 which I think has the support, however, I will update the sdk and release a new version this week.

@ojundt
Copy link

ojundt commented Jun 12, 2020

@abutaha version 1.1 with IRSA works like a charm. Thank you!

@diego-ojeda-binbash
Copy link

Hi @ojundt , could you help me understand how to run aws-es-proxy in order to get it working with IRSA? I'm struggling a bit to make it run. Are you deploying aws-es-proxy through a YAML manifest via kubectl? Are you using a chart? What parameters do you pass to either of those to make it work? Thanks!

@diego-ojeda-binbash
Copy link

In case it helps somebody else I managed to get it working on AWS EKS by providing the following environment variables to the aws-es-proxy pod:

  • AWS_ROLE_ARN => arn:aws:iam::[ACCOUNT_ID]:role/[ROLE_NAME]
  • AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token

The service account needs to be annotated with eks.amazonaws.com/role-arn so that EKS creates the token in the file specified above.
Also, you are providing a role ARN which belongs to an actual role, such role needs to be granted access to AWS ES through a policy in order for this to work.

@chaychoong chaychoong mentioned this issue Aug 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jcpetruzza @abutaha @ojundt @codyja @diego-ojeda-binbash