Support for S3 access using EKS IAM Pod Identity Association with service account #4227
Closed
DeclanKainos
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Would it be possible to implement support for authenticating with S3 using a service account with an IAM Pod Identity Association assigned to it? I have tried to deploy tempoMonolithic 2.5.0 with a service account configured with using this feature, however Tempo still defaults to trying to assume the role i've specified (same one as linked with the Pod Identity Association) using the cluster node group role.
Current error output:
k logs tempo-monitoring-0 -n tempo
level=info ts=2024-10-22T19:19:30.780166707Z caller=main.go:225 msg="initialising OpenTracing tracer"
level=info ts=2024-10-22T19:19:30.796919928Z caller=main.go:118 msg="Starting Tempo" version="(version=2.5.0, branch=HEAD, revision=46dad3411)"
level=error ts=2024-10-22T19:19:30.85278527Z caller=main.go:121 msg="error running Tempo" err="failed to init module services: error initialising module: store: failed to create store: unexpected error from ListObjects on S3-BUCKET-XXXXXX: User: arn:aws:sts::XXXXXXXXXX:assumed-role/services-large-eks-node-group-XXXXXXXXXXXX/i-0XXXXXXXXXXX is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::S3-BUCKET-XXXXXX" because no identity-based policy allows the s3:ListBucket action"
Beta Was this translation helpful? Give feedback.
All reactions