AmazonS3ClientBuilder assumed the Node role instead of ServiceAccount role #3648
Description
Expected Behavior
When Java server runs on AWS EKS pod, I get the following error:
Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;
After debugging, I found that the S3Client that interacts with S3 assumed the Node role, instead of the ServiceAccount Role.
Current Behavior
The S3Client that interacts with S3 assumed the Node role, instead of the ServiceAccount Role.
Steps to reproduce
Specifications
- Version:
- Platform:
- Subsystem:
Possible Solution
I made the following change and deployed the java service on AWS EKS. I was able to run the server without encountering above mentioned error.
@Provides
public AmazonS3 awsStorage(ApplicationProperties applicationProperties) {
AmazonS3ClientBuilder builder=AmazonS3ClientBuilder.standard().withRegion(applicationProperties.getFeast().getAwsRegion());
String roleArn = applicationProperties.getFeast().getRoleRegion();
String webIdentityTokenFile = applicationProperties.getFeast().getToken();
if (roleArn != null && webIdentityTokenFile != null) {
WebIdentityTokenCredentialsProvider credentialsProvider = WebIdentityTokenCredentialsProvider.builder()
.roleArn(roleArn)
.webIdentityTokenFile(webIdentityTokenFile)
.build();
builder.withCredentials(credentialsProvider);
}
return builder.build();
}