Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Router does not support using EC2 IAM role for S3 storage provider #1249

Closed
lachlan-smith opened this issue Oct 7, 2024 · 3 comments
Closed

Router does not support using EC2 IAM role for S3 storage provider #1249

lachlan-smith opened this issue Oct 7, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@lachlan-smith
Copy link
Contributor

Component(s)

router

Component version

0.121.0

wgc version

0.66.2

controlplane version

n/a

router version

0.121.0

What happened?

Description

When using the routers with the S3 storage provider and deploying to EKS, it is not possible to use the EKS/EC2 node IAM role for authenticating against S3.

This appears to be because of the way the minio-go client is being instantiated, by only providing a static credentials configuration.

When deploying into an EKS cluster, using IAM roles are preferable as kubelet will intercept the calls to the AWS API and handle authentication on your behalf using the IAM role/policy assigned to the EC2 node. More info on how this can be found here https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html

Steps to Reproduce

In the routers config.yaml, configure a storage provider and attempt to load the execution config from it

storage_providers:
  s3:
  - id: "s3"
    endpoint: "s3.amazonaws.com"
    bucket: "my-config-bucket"
    region: "us-east-1"
    secure: true

execution_config:
  storage:
    provider_id: s3
    object_path: "execution-config.json"

Expected Result

The router is able to load the execution configuration from the bucket and start successfully.

Actual Result

The router fails to start and logs an "Access denied" error when trying to load the execution configuration from the S3 bucket.

Environment information

Environment

OS: AWS EKS (Kubernetes 1.29)
Package Manager: npm
Compiler(if manually compiled): n/a

Router configuration

No response

Router execution config

No response

Log output

No response

Additional context

No response
@lachlan-smith lachlan-smith added the bug Something isn't working label Oct 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 7, 2024

WunderGraph commits fully to Open Source and we want to make sure that we can help you as fast as possible.
The roadmap is driven by our customers and we have to prioritize issues that are important to them.
You can influence the priority by becoming a customer. Please contact us here.

@lachlan-smith lachlan-smith mentioned this issue Oct 7, 2024
Merged
3 tasks
@lachlan-smith
Copy link
Contributor Author

I've opened a PR with a fix here #1250

@lachlan-smith
Copy link
Contributor Author

Resolved with 5d67c4b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lachlan-smith