aws.iam icon indicating copy to clipboard operation
aws.iam copied to clipboard
verified publisher icon cloudyr

Use assume role with web identity in order to use iam role for service account in EKS

Open Kent1 opened this issue 5 years ago • 3 comments

Please specify whether your issue is about:

  • [ ] a possible bug
  • [X] a question about package functionality
  • [ ] a suggested code or documentation change, improvement to the code, or feature request

We do have jupyterhub running in EKS. Each jupyter pods uses iam role for service account in order to have access to s3, etc. That works fine with python boto3 and awscli.

However, in R, the only thing i see is the role attached to the worker node, which is not the correct role.

Is there a way to use the same authentication mechanism than awscli or boto3 ? If not, is there a way to use assume role with webidentity ?

Put your code here:

## load package
library("aws.s3")
library("aws.signature")
library("aws.iam")

## code goes here

> get_caller_identity()

$Account  '012345678910'
$Arn  'arn:aws:sts::012345678910:assumed-role/eks-node-group-dev040/i-01adcd0b33f520bf9'
$UserId  'AROAQT5SGVC3YD227SYGI:i-01adcd0b33f520bf9'

> assume_role("arn:aws:iam::01234567810:role/terraform/jupyterhub/dev040-jupyterhub", "test", use=TRUE, key=NULL, secret=NULL, session_token="eyJhbGciOiJSUzI....")

Warning message in stsHTTP(query = query, ...):
“Forbidden (HTTP 403).”
List of 3
 $ Code   : chr "AccessDenied"
 $ Message: chr "User: arn:aws:sts::01234567810:assumed-role/eks-node-group-dev040/i-01adcd0b33f520bf9 is not authorized to per"| __truncated__


## session info for your system
sessionInfo()
R version 4.0.3 (2020-10-10)
Platform: x86_64-conda-linux-gnu (64-bit)
Running under: Ubuntu 20.04.1 LTS

Matrix products: default
BLAS/LAPACK: /opt/conda/lib/libopenblasp-r0.3.12.so

locale:
 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C              
 [3] LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8    
 [5] LC_MONETARY=en_US.UTF-8    LC_MESSAGES=en_US.UTF-8   
 [7] LC_PAPER=en_US.UTF-8       LC_NAME=C                 
 [9] LC_ADDRESS=C               LC_TELEPHONE=C            
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C       

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

other attached packages:
[1] aws.iam_0.1.8       aws.signature_0.6.0 aws.s3_0.3.21      

loaded via a namespace (and not attached):
 [1] aws.ec2metadata_0.2.0 digest_0.6.27         crayon_1.3.4         
 [4] IRdisplay_0.7.0       R6_2.5.0              repr_1.1.0           
 [7] lifecycle_0.2.0       jsonlite_1.7.1        evaluate_0.14        
[10] httr_1.4.2            pillar_1.4.7          rlang_0.4.9          
[13] curl_4.3              uuid_0.1-4            xml2_1.3.2           
[16] ellipsis_0.3.1        IRkernel_1.1.1        tools_4.0.3          
[19] compiler_4.0.3        base64enc_0.1-3       htmltools_0.5.0      
[22] pbdZMQ_0.3-3.1

Kent1 avatar Jan 05 '21 13:01 Kent1

@Kent1 hi did you manage to work around this issue? i am having a same problem. please update. thanks

mohamedimranveeva avatar Feb 09 '23 06:02 mohamedimranveeva

I can't remember sorry. I was helping some dev with R code, but I am not an R dev myself.

Kent1 avatar Mar 02 '23 08:03 Kent1

See cloudyr/aws.signature#62 and cloudyr/aws.signature#63 Looks like support is written, but not released.

jspiewak avatar Aug 01 '23 21:08 jspiewak