Spring config server unable to fetch properties from codecommit

Question

I'm running into an issue using Kubernetes service accounts to grant access to a codecommit repository for a spring config server.

When AWSCodeCommitReadOnly is granted to the EKS cluster.worker-node role, the config server is able to successfully get the properties, however replicating this using service accounts causes the config server to throw the following error:

Cannot clone or checkout repository: https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/config-server-properties

A separate IAM role has been created with the CodeCommit policy, and this is being attached to a service account with the annotation:

Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::accountnum:role/test-pod-iam-permissions

The iam role has a trusted entity for the eks cluster and the following condition:

system:serviceaccount:namespace:test-pod-iam-permissions

We've also created a clusterrole which should have access to all verbs/resources:

Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *          []                 []              [*]

and an associated binding:

Name:         iam-permissions-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  iam-permissions
Subjects:
  Kind            Name                      Namespace
  ----            ----                      ---------
  ServiceAccount  test-pod-iam-permissions  namespace

Following this documentation https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html we seem to have ticked all the boxes, so we're not sure what could be missing.

The deployment has the service account added, and when we exec into the pod it shoes the IAM role ARN:

$ kubectl exec -n namespace config-service-pod env | grep AWS
AWS_DEFAULT_REGION=eu-west-1
AWS_ROLE_ARN=arn:aws:iam::accountnum:role/test-pod-iam-permissions
AWS_REGION=eu-west-1
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

Could a separate serviceaccount be overriding the permissions we're trying to grant here? We've updated the config servers pom to use 1.11.623 for aws-java-sdk-core and added in a dependency for aws-java-sdk-sts

Yes we also faced the same issue, We moved to Node Role. Also the document says that either it uses AWS creds or NodeRole only. https://cloud.spring.io/spring-cloud-config/multi/multi__spring_cloud_config_server.html — Sriharsha Kalluru, Aug 24 '21 at 15:35

Spring config server unable to fetch properties from codecommit

0 Answers0