stackoom
  简体   繁体   中英

How to use kubernetes service account with golang?

 原文  2023-01-18 18:19:50       amazon-web-services/ go/ kubernetes/ k8s-serviceaccount

Question

Actually, I use kube.netes service accounts mostly with NodeJS, and this works fine, but I have this one service made in Go and I can't seem to make it work with service accounts (I know that the service account is correctly configured because I tested it with a pod).

I'm using this lib https://github.com/aws/aws-sdk-go

Up till now I tried this:

  sess := session.Must(session.NewSession())

  creds := stscreds.NewCredentials(sess, os.Getenv("AWS_ROLE_ARN"))

  svc := s3.New(sess, &aws.Config{Credentials: creds})

And also this (just in case):

  region := os.Getenv("AMAZON_REGION")
  sess := session.Must(session.NewSession(&aws.Config{Region: &region}))

  svc := s3.New(sess)

for the first case I got the following error:

AccessDenied: User: arn:aws:sts::xxxxxxxx:assumed-role/staging-worker-node/i-0xxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxx:role/EKSServiceAccount-app

and for the second case, I got a generic permission error.

I read the docs and tried a few things more (that may not be relevant here), but I can't see to make it work, maybe because I don't have much experience with golang.

1 answers

solution1
 1 ACCPTED  2023-01-18 22:13:41

There are a few things you can try to get your Go service to work with service accounts on Kube.netes:

Verify that your Go service is properly configured to use the Kube.netes service account. This can be done by checking that the service account is correctly mounted as a volume in the pod definition and that the service is able to read the credentials from the volume.

Make sure that the AWS SDK for Go you are using ( https://github.com/aws/aws-sdk-go ) is configured to use the correct credentials. The SDK supports several methods for providing credentials, including environment variables, shared credentials file, and IAM roles.

You can try using the k8s.io/client-go library instead of the AWS SDK for Go, this will help you to use the Kube.netes service account to authenticate with the Kube.netes API and obtain the required credentials for the AWS SDK.

If you are using the Kube.netes service account to authenticate with an external service such as AWS, you may also need to configure an IAM role that allows the service account to access the necessary resources.

Double check that your Go service is correctly using the Kube.netes service account token and is passing it along as an authentication token to the AWS SDK.

You can also try to use the k8s.io/client-go library to get the secret and use it in your go code.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Service Account flow - 2 Legged Oauth Golang Connect Kubernetes service account to Google Cloud service account Cross account IAM roles for Kubernetes service account - s3 bucket Golang Oauth2 Service account returns empty refresh token string How to use GCP service account json files in Docker How can I create a kubernetes.Clientset directly from a GCP service account JSON key file in Go? How can I get a Kubernetes clientset in GO using a JSON service account key? How to use impersonate_service_account for streaming beam pipeline How to use Google Service Account json file in .NET 6 How to use service account to authenticate Cloud Run to Firestore
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM