Skip to content

Commit

Permalink
Updating documentation on how to setup IRSA on AWS
Browse files Browse the repository at this point in the history
I tried configuring my Argo-Server to use s3 as an artifact repository, and then archive all logs automatically, and it worked fine. But then when I wanted to load those logs in the Argo-Server UI using the link `https://<arg_server_host>/artifacts/argo/<workflow_name>/<pod_name>/main-logs` I got the following error:

```
failed to create new S3 client: WebIdentityErr: failed fetching WebIdentity token:
caused by: WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token
caused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied
```

Reading through similar issues here: kubernetes-sigs/external-dns#1185 I found out that IRSA requires this setting on the Deployment:
`spec.template.spec.securityContext.fsGroup: 65534` to fix the above issue.

I thought it would be helpful to others to find information how to deal with it here, rather than search for the answers if they hit this problem.

Signed-off-by: Dominik Deren <[email protected]>
  • Loading branch information
domderen committed Jul 22, 2021
1 parent 10c0fa5 commit 2b5210e
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions docs/workflow-controller-configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,9 @@ data:
key: secretKey
# If this is set to true, argo workflows will use AWS SDK default credentials provider chain. This will allow things like
# IRSA and any of the authentication methods that the golang SDK uses in it's default chain.
# If you are using IRSA on AWS, and set this option to true, you will also need to modify Argo-Server Deployment with
# `spec.template.spec.securityContext.fsGroup: 65534` configuration. This is required for IRSA to be able to access
# `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` file, and authenticate with AWS.
useSDKCreds: false
# Specifies the container runtime interface to use (default: docker)
Expand Down

0 comments on commit 2b5210e

Please sign in to comment.