[
https://issues.apache.org/jira/browse/NIFI-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joe Petitti updated NIFI-10280:
-------------------------------
Description:
I have NiFi deployed on a kubernetes cluster using IAM Roles for Service
Accounts. I've verified that the service account token is being injected into
the pods, is readable by the nifi user, and is a valid token. The environment
variables {{{}AWS_WEB_IDENTITY_TOKEN_FILE{}}}, {{{}AWS_ROLE_ARN{}}},
{{{}AWS_REGION{}}}, and {{AWS_DEFAULT_REGION}} are set in the pods properly
too. On the AWSCredentialsProviderControllerService I have "Use Default
Credentials" set to true. But NiFi seems to be ignoring the web identity
environment variables and just using the node's IAM role instead.
NiFi 1.16.3 uses aws-sdk-java version 1.12.182, which should be high enough to
use IRSA by default above node role according to [this
issue|[https://github.com/aws/aws-sdk-java/issues/2136],] so I'm not sure why
the environment variables are being ignored. Any help would be greatly
appreciated.
was:
I have NiFi deployed on a kubernetes cluster using IAM Roles for Service
Accounts. I've verified that the service account token is being injected into
the pods, is readable by the nifi user, and is a valid token. The environment
variables {{{}AWS_WEB_IDENTITY_TOKEN_FILE{}}}, {{{}AWS_ROLE_ARN{}}},
{{{}AWS_REGION{}}}, and {{AWS_DEFAULT_REGION }}are set in the pods properly
too. On the AWSCredentialsProviderControllerService I have "Use Default
Credentials" set to true. But NiFi seems to be ignoring the web identity
environment variables and just using the node's IAM role instead.
NiFi 1.16.3 uses aws-sdk-java version 1.12.182, which should be high enough to
use IRSA by default above node role according to [this
issue|[https://github.com/aws/aws-sdk-java/issues/2136],] so I'm not sure why
the environment variables are being ignored. Any help would be greatly
appreciated.
> NiFi pods don't use IRSA role
> -----------------------------
>
> Key: NIFI-10280
> URL: https://issues.apache.org/jira/browse/NIFI-10280
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.16.3
> Environment: Kubernetes
> Reporter: Joe Petitti
> Priority: Major
>
> I have NiFi deployed on a kubernetes cluster using IAM Roles for Service
> Accounts. I've verified that the service account token is being injected into
> the pods, is readable by the nifi user, and is a valid token. The environment
> variables {{{}AWS_WEB_IDENTITY_TOKEN_FILE{}}}, {{{}AWS_ROLE_ARN{}}},
> {{{}AWS_REGION{}}}, and {{AWS_DEFAULT_REGION}} are set in the pods properly
> too. On the AWSCredentialsProviderControllerService I have "Use Default
> Credentials" set to true. But NiFi seems to be ignoring the web identity
> environment variables and just using the node's IAM role instead.
> NiFi 1.16.3 uses aws-sdk-java version 1.12.182, which should be high enough
> to use IRSA by default above node role according to [this
> issue|[https://github.com/aws/aws-sdk-java/issues/2136],] so I'm not sure why
> the environment variables are being ignored. Any help would be greatly
> appreciated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
