来自EKS的Fargate上的Pod无法访问AWS默认证书 [英] Pod on Fargate from EKS does not have access to AWS default credentials

问题描述

我正在尝试在EKS的Fargate上运行一个pod，该pod需要通过boto3 python客户端访问s3，但我不知道为什么会这样.在eks ec2节点上计划时，它工作得很好.

I am trying to run a pod on fargate from EKS that needs to access s3 via boto3 python client and I cant figure out why this is happening. It works just fine when scheduled on a eks ec2 node.

botocore.exceptions.NoCredentialsError: Unable to locate credentials

我有一个正确设置的Fargate配置文件，并遵循了指南.

I have a properly setup fargate profile and followed this guide.

有人知道为什么AWS凭证不在此Pod的上下文内吗?这与pod执行角色有关吗?

Does anyone know why aws credentials are not within the context of this pod? Does this have anything to do with the pod execution role?

推荐答案

我有一个正确的Fargate配置文件，并已按照本指南进行操作.

I have a properly setup fargate profile and followed this guide.

这是一个很好的开始，它将确保您的广告连播是在Fargate而不是EC2上安排的.

That's a great start and it will ensure your pods are scheduled on Fargate rather than EC2.

有人知道为什么AWS凭证不在此Pod的上下文内吗?这与pod执行角色有关吗?

Does anyone know why aws credentials are not within the context of this pod? Does this have anything to do with the pod execution role?

不知道您到底定义了什么是不可能的，但是的，值得检查广告连播执行角色，以了解入门者.

Without knowing what exactly you defined it's impossible to troubleshoot but yes, it's worth checking the pod execution role for starters.

但是，鉴于您要从Pod访问S3存储桶，因此需要确保Pod的服务帐户使用相应的策略.去年，我们推出了 IRSA ，允许您在Pod级别上分配最少的特权，并且如果您在Fargate上，这就是方法.因此，请仔细阅读并按照文档应用IRSA，如果有任何不正常的情况，请向我报告.

However, given that you want to access an S3 bucket from your pod you need to make sure the pod's service account uses the respective policy. Last year we introduced IRSA, allowing you to assign least privileges on the pod level and given you're on Fargate this is the way to go. So, please peruse and apply IRSA as per doc and report back if anything is not working as expect.

这篇关于来自EKS的Fargate上的Pod无法访问AWS默认证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！