By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EKS pod not accessing Kubernetes Service account for role

0

I have a issue where EKS POD is not able to access DynamoDB resource and on further analysis I found that EKS is not using the configured Kubernetes service account and instead it is trying to use the EC2 default profile to get the credentials in which it is deployed ?

I am using AWS SDK software.amazon.awssdk:: dynamodb-enhanced :: 2.20.94 in my java application.

Below error is shown when trying to access dynamoDB from POD :

software.amazon.awssdk.core.exception.SdkClientException: Profile file contained no credentials for profile 'default': ProfileFile(profilesAndSectionsMap=[]) at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111) ~[sdk-core-2.20.94.jar!/:na] at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.lambda$createCredentialsProvider$2(ProfileCredentialsProvider.java:173) ~[auth-2.20.94.jar!/:na]

Please kindly let me know if you need any further details

Topics
DatabaseComputeContainers
Tags
Amazon DynamoDBKubernetes
Language
English
Sathwik
asked 7 months ago846 views
2 Answers
1
Accepted Answer

Hi,

Do you use any code in your app to specify the credentials? If yes, can you detail it?

It is important to know if / how break override the credentials provided by the DefaultAWSCredentialsProviderChain. See https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html for all details on this chain of credentials

Related question: do you have the AWS STS SDK included as part of your dependencies?

i.e., if you use Maven, in our pom.xml, something like:

<dependency>
        <groupId>software.amazon.awssdk</groupId>
        <artifactId>sts</artifactId>
        <version>2.17.108</version>
</dependency>

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 7 months ago
  • Sathwik
    7 months ago

    Hi @Didier Durand, Thanks the answer

    I did not specifying any secret and key details in the code. we are depending on the Kubernetes Service account to retrieve the role info and on further analysis I found that we have 2 different Kubernetes service account (Default, and custom) and I am expecting my Pod to access custom service account to access Dynamodb but Pod is always trying to access default service account

    Now I am checking if there is a way in java plication to specify which service account to use

0

Hello,

When using IAM roles for service accounts, the containers in your Pods must use an AWS SDK version that supports assuming an IAM role through an OpenID Connect web identity token file. Make sure that you're using the following versions, or later, for your AWS SDK:

  • Java (Version 2) – 2.10.11
  • Java – 1.11.704

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html

Using the AWS SDK for Java, you can build Java applications that work with DynamoDB as the SDK provides a Java API for the DynamoDB.

https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/home.html

AWS
Olawale
answered 7 months ago
  • Sathwik
    7 months ago

    Olawale-AWS, Thanks for your answer

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content