[EKS] Could not authenticate with IAM Role for Service Account #217
Description
Describe the bug
The service broker, deployed on AWS EKS and having their Service Account object annotated with the metadata eks.amazonaws.com/role-arn: <my-role-arn> does not use it, instead falling back to EC2 instance metadata (which do NOT have the right permissions) and therefore failing to start with a bunch of Access Denied errors.
To Reproduce
Deploy the service broker on EKS with IRSA enabled and add the proper role annotation.
Expected behavior
The AWS SDK used by the service broker should authenticate using the web identity token injected by EKS
Screenshots
The assumed-role is the EKS instance role, the target_role is the actual service account role that should be used
Environment (please complete the following information):
- Application Platform: Kubernetes (AWS EKS)
- Application Platform Version: 1.18.9
- Broker Version 1.0.2
Additional context
I see that in pkg/broker/aws_sdk.go the EC2 instance role is being explicitly configured instead of relying on the SDK default credential chain. My suspect is that this is preventing the SDK to fallback to the Web Identity authentication method