[ https://issues.apache.org/jira/browse/NIFI-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joe Petitti updated NIFI-10280: ------------------------------- Description: I have NiFi deployed on a kubernetes cluster using IAM Roles for Service Accounts. I've verified that the service account token is being injected into the pods, is readable by the nifi user, and is a valid token. The environment variables {{{}AWS_WEB_IDENTITY_TOKEN_FILE{}}}, {{{}AWS_ROLE_ARN{}}}, {{{}AWS_REGION{}}}, and {{AWS_DEFAULT_REGION}} are set in the pods properly too. On the AWSCredentialsProviderControllerService I have "Use Default Credentials" set to true. But NiFi seems to be ignoring the web identity environment variables and just using the node's IAM role instead. NiFi 1.16.3 uses aws-sdk-java version 1.12.182, which should be high enough to use IRSA by default above node role according to [this issue|[https://github.com/aws/aws-sdk-java/issues/2136],] so I'm not sure why the environment variables are being ignored. Any help would be greatly appreciated. was: I have NiFi deployed on a kubernetes cluster using IAM Roles for Service Accounts. I've verified that the service account token is being injected into the pods, is readable by the nifi user, and is a valid token. The environment variables {{{}AWS_WEB_IDENTITY_TOKEN_FILE{}}}, {{{}AWS_ROLE_ARN{}}}, {{{}AWS_REGION{}}}, and {{AWS_DEFAULT_REGION }}are set in the pods properly too. On the AWSCredentialsProviderControllerService I have "Use Default Credentials" set to true. But NiFi seems to be ignoring the web identity environment variables and just using the node's IAM role instead. NiFi 1.16.3 uses aws-sdk-java version 1.12.182, which should be high enough to use IRSA by default above node role according to [this issue|[https://github.com/aws/aws-sdk-java/issues/2136],] so I'm not sure why the environment variables are being ignored. Any help would be greatly appreciated. > NiFi pods don't use IRSA role > ----------------------------- > > Key: NIFI-10280 > URL: https://issues.apache.org/jira/browse/NIFI-10280 > Project: Apache NiFi > Issue Type: Bug > Affects Versions: 1.16.3 > Environment: Kubernetes > Reporter: Joe Petitti > Priority: Major > > I have NiFi deployed on a kubernetes cluster using IAM Roles for Service > Accounts. I've verified that the service account token is being injected into > the pods, is readable by the nifi user, and is a valid token. The environment > variables {{{}AWS_WEB_IDENTITY_TOKEN_FILE{}}}, {{{}AWS_ROLE_ARN{}}}, > {{{}AWS_REGION{}}}, and {{AWS_DEFAULT_REGION}} are set in the pods properly > too. On the AWSCredentialsProviderControllerService I have "Use Default > Credentials" set to true. But NiFi seems to be ignoring the web identity > environment variables and just using the node's IAM role instead. > NiFi 1.16.3 uses aws-sdk-java version 1.12.182, which should be high enough > to use IRSA by default above node role according to [this > issue|[https://github.com/aws/aws-sdk-java/issues/2136],] so I'm not sure why > the environment variables are being ignored. Any help would be greatly > appreciated. -- This message was sent by Atlassian Jira (v8.20.10#820010)