Skip to content

docs: updating documentation on how to setup IRSA on AWS #6406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 22, 2021
Merged

docs: updating documentation on how to setup IRSA on AWS #6406

merged 2 commits into from
Jul 22, 2021

Conversation

@domderen
Copy link
Contributor

@domderen domderen commented Jul 22, 2021
edited
Loading

I tried configuring my Argo-Server to use s3 as an artifact repository, and then archive all logs automatically, and it worked fine. But then when I wanted to load those logs in the Argo-Server UI using the link https://<arg_server_host>/artifacts/argo/<workflow_name>/<pod_name>/main-logs I got the following error:

failed to create new S3 client: WebIdentityErr: failed fetching WebIdentity token: 
caused by: WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token
caused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied

Reading through similar issues here: kubernetes-sigs/external-dns#1185 I found out that IRSA requires this setting on the Deployment:
spec.template.spec.securityContext.fsGroup: 65534 to fix the above issue.

I thought it would be helpful to others to find information how to deal with it here, rather than search for the answers if they hit this problem.

Checklist:

Tips:

  • Your PR needs to pass the required checks before it can be approved. If the check is not required (e.g. E2E tests) it does not need to pass
  • Sign-off your commits to pass the DCO check: git commit --signoff.
  • Run make pre-commit -B to fix codegen or lint problems.
  • Say how how you tested your changes. If you changed the UI, attach screenshots.

@domderen
Updating documentation on how to setup IRSA on AWS
2b5210e 
I tried configuring my Argo-Server to use s3 as an artifact repository, and then archive all logs automatically, and it worked fine. But then when I wanted to load those logs in the Argo-Server UI using the link `https://<arg_server_host>/artifacts/argo/<workflow_name>/<pod_name>/main-logs` I got the following error:

```
failed to create new S3 client: WebIdentityErr: failed fetching WebIdentity token:
caused by: WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token
caused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied
```

Reading through similar issues here: kubernetes-sigs/external-dns#1185 I found out that IRSA requires this setting on the Deployment:
`spec.template.spec.securityContext.fsGroup: 65534` to fix the above issue.

I thought it would be helpful to others to find information how to deal with it here, rather than search for the answers if they hit this problem.

Signed-off-by: Dominik Deren <[email protected]>
@domderen domderen changed the title Updating documentation on how to setup IRSA on AWS docs: updating documentation on how to setup IRSA on AWS Jul 22, 2021
@alexec alexec merged commit c80f4bc into argoproj:master Jul 22, 2021
This was referenced Jul 27, 2021
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sarabala1979 sarabala1979 sarabala1979 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@domderen @sarabala1979 @alexec