-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for AWS IAM Kubernetes service account permissions #52625
Comments
Pinging @elastic/es-distributed (:Distributed/Snapshot/Restore) |
I had a quick check and this looks to be implemented by the |
What are the security concerns with using system properties, environment variables, or profiles to store credentials? A web search reveals many opinions both for and against each method. Should Elastic be enforcing a particular security policy or should Elastic make deployers aware of the pros/cons of each method? In Kubernetes, mapped files holding the credentials seems to be one of the recommended practices at this time. (Profile method) |
Elasticsearch team please chime in on which methods will be acceptable. |
For this to work this file needs changing: https://github.com/elastic/elasticsearch/blob/master/distribution/src/bin/elasticsearch-env-from-file When I try to use IAM Roles for Service accounts it currently errors with:
The token gets created with the following permissions:
By default this file has permission 600 and owned by root:root, but when this is set:
Then the group ownership of the token is changed to match |
The
|
Has there been any progress on this issue? I'd very much like to not have to inject static credentials as this would be a step backwards from my current non-k8s deployment. What's the reasoning behind not just using the default AWS SDK credential chain here? |
Hi, ES is also one of the last application in our infrastructure not being able to use EKS IRSA (OIDC). ES does not tries to read EKS IRSA token mounted in the pods: ServiceAccount has the following annotation:
Which results in these env vars to be mounted in the pods:
But ES keeps trying to use EC2 Metadata:
Any way to make this working ? |
For anyone who stumbles upon this, there is a workaround posted here. First, create a secret containing AWS credentials. Then refer to the secret in the manifest.
I hope this saves someone a couple of hours googling and we can merge #65923 soon. |
+1, we just ran into this today :( |
@therealdwright the question is that it should use the service account, there are a lot of ways using access key and secret key, this isn't a problem at all. But service accounts are way more secure than credentials. Is there any ETA for this issue? |
I agree and I also would like to use IRSA also. I posted this as a workaround as I had assumed (incorrectly) the service account approach would work. |
🆙 |
It seems the repository-s3 plugin uses AWS SDK v1 :
I highly doubt the SDK V1 supports the environment variable That means the fix for this would be to
|
I am having the exact same issue, we are trying to use Service Accounts in EKS and despite the pod is correctly initated and we can see the below environment variables:
Yet the s3 connections still fail, digging into the logs i could see the following error from s3 plugin, it may help in closing this issue. [Note: file is not there! ]
|
…1255) There have been many requests to support repository-s3 authentication via IAM roles in Kubernetes service accounts. The AWS SDK is supposed to support them out of the box with the aws-java-sdk-sts library. Unfortunately, we can't use WebIdentityTokenCredentialsProvider from the SDK. It reads the token from AWS_WEB_IDENTITY_TOKEN_FILE environment variable which is usually mounted to /var/run/secrets/eks.amazonaws.com/serviceaccount/token and the S3 repository doesn't have the read permission to read it. We don't want to hard-code a file permission for the repository, because the location of AWS_WEB_IDENTITY_TOKEN_FILE can change at any time in the future and we would also generally prefer to restrict the ability of plugins to access things outside of their config directory. To overcome this limitation, this change adds a custom WebIdentityCredentials provider that reads the service account from a symlink to AWS_WEB_IDENTITY_TOKEN_FILE created in the repository's config directory. We expect the end user to create the symlink to indicate that they want to use service accounts for authentification. Service accounts are checked and exchanged for session tokens by the AWS STS. To test the authentification flow, this change adds a test fixture which mocks the assume-role-with-web-identity call to the service and returns a response with test credentials. Fixes #52625
So either I'm doing something wrong or the latest changes in 8.0 make this worse. My setup still had the role mapping enabled (and therefore the Be aware when upgrading! I added the symlink as per the doco
This lets Elasticsearch start correctly with the s3 plugin installed and the env var injected. Of course if I remove the old secureSettings workaround I still can't access S3 with IAM roles. |
…oken (#84697) Make sure users can use the static credentials even if there is a service account with IAM roles configured on the system. See #52625 (comment)
…oken (elastic#84697) Make sure users can use the static credentials even if there is a service account with IAM roles configured on the system. See elastic#52625 (comment) (cherry picked from commit d965595)
…oken (elastic#84697) Make sure users can use the static credentials even if there is a service account with IAM roles configured on the system. See elastic#52625 (comment) (cherry picked from commit d965595)
…oken (#84697) (#84824) Make sure users can use the static credentials even if there is a service account with IAM roles configured on the system. See #52625 (comment) (cherry picked from commit d965595)
…oken (#84697) (#84825) Make sure users can use the static credentials even if there is a service account with IAM roles configured on the system. See #52625 (comment)
Hi @hamishforbes! Thank you very much for the report! It's indeed a bug: Elasticsearch shouldn't crash if the user didn't create a symlink to |
…84585) If we don't instruct to look up the region from the Endpoint URL, AWSSecurityTokenServiceClient tries to look it up implicitly in a custom way which requires reading the /.aws/config file for which we don't have a file permission. The same approach is used for the general AmazonS3ClientBuilder Resolves #83826, #52625
…lastic#84585) If we don't instruct to look up the region from the Endpoint URL, AWSSecurityTokenServiceClient tries to look it up implicitly in a custom way which requires reading the /.aws/config file for which we don't have a file permission. The same approach is used for the general AmazonS3ClientBuilder Resolves elastic#83826, elastic#52625
…lastic#84585) If we don't instruct to look up the region from the Endpoint URL, AWSSecurityTokenServiceClient tries to look it up implicitly in a custom way which requires reading the /.aws/config file for which we don't have a file permission. The same approach is used for the general AmazonS3ClientBuilder Resolves elastic#83826, elastic#52625
…84585) (#84946) If we don't instruct to look up the region from the Endpoint URL, AWSSecurityTokenServiceClient tries to look it up implicitly in a custom way which requires reading the /.aws/config file for which we don't have a file permission. The same approach is used for the general AmazonS3ClientBuilder Resolves #83826, #52625
…84585) (#84947) If we don't instruct to look up the region from the Endpoint URL, AWSSecurityTokenServiceClient tries to look it up implicitly in a custom way which requires reading the /.aws/config file for which we don't have a file permission. The same approach is used for the general AmazonS3ClientBuilder Resolves #83826, #52625
Ok after much banging of heads against walls I think i've made this work You must manually set an additional env var that is not set by the EKS / IAM integration automatically The session name is not required by the SDK normally, it just makes up a default value. Depending on how you look at it, there's either a key piece of information missing from the documentation or this is just the incorrect implementation. @arteam thoughts? edit: For those using the ECK operator you need to do something like apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: your-elastic-cluster
spec:
nodeSets:
- name: default
podTemplate:
spec:
containers:
- env:
- name: AWS_ROLE_SESSION_NAME
value: repository-s3
name: elasticsearch
initContainers:
- command:
- sh
- -c
- mkdir -p "/usr/share/elasticsearch/config/repository-s3"; ln -s $AWS_WEB_IDENTITY_TOKEN_FILE
"/usr/share/elasticsearch/config/repository-s3/aws-web-identity-token-file"
name: symlink-token Note you dont need to install the s3 plugin in an init container anymore either |
… not provided The AWS SDK actually doesn't require the session name to be set and generates one if it's not provided via the `AWS_ROLE_SESSION_NAME` environment variable. See elastic#52625 (comment).
… not provided (elastic#86255) The AWS SDK actually doesn't require the session name to be set and generates one if it's not provided via the AWS_ROLE_SESSION_NAME environment variable. See elastic#52625
It's surprising that this feature is not backport to 7.17. 😞 |
Amazon EKS recently supports IAM permissions for Kubernetes service accounts.
I would be nice to have support for service account permissions implemented in (at least) the S3 repository plugin so it is possible to create snapshots to an S3 repository without having to update access keys and tokens on a regular basis.
The text was updated successfully, but these errors were encountered: