-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 Output Plugin not working with IMDSv1 and kube2iam
#6479
Comments
kube2iam
kube2iam
I am having the same problem. We have a fluentbit sidecar that needs to write to an S3 bucket. |
To clarify, it only works for us if we specify the role_arn, where because of kube2iam, if a process makes a request to the metadata service, kube2iam hijacks that, assumes the role we define in the Pod annotations, and then hands the sts credentials back to the process. |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the |
Still an issue.. |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the |
This issue was closed because it has been stalled for 5 days with no activity. |
@joshbranham @sebsthiel |
We "fixed" it by expliciting specifying the role to assume in the
|
Bug Report
Describe the bug
When using the AWS S3 output plugin, coupled with IAM assume roles in Kubernetes, Fluent-bit fails to get credentials, seemingly because it does not support IMDSv1? To work around this, we can explicitly set the
role_arn
value to the role thatkube2iam
would have otherwise automatically assumed on the Pods behalf if it had hit the IMDSv1 metadata endpoint for credentials.To Reproduce
Run Fluent-bit on an EC2 instance with IMDSv1 only, or in a Kubernetes cluster using
kube2iam
or similar (which only supports IMDSv1 currently) and attempt to write logs to an S3 bucket.Expected behavior
Fluent-bit will make a request to the metadata service, when provided no credentials, to receive the instance profile.
Your Environment
Additional context
Is this expected to just only work with IMDSv2? I noticed the
filter_s3
plugin supports settingimds_version v1
butoutput_s3
does not.Here is the error output:
I would have expected the above to log trying to connect to IMDS?
This might be related, although we are running
1.9.4
#4388The text was updated successfully, but these errors were encountered: