Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot load AWS token file when using AWS IAM-backed service accounts #3138

Closed
geofffranks opened this issue Oct 28, 2019 · 9 comments
Closed
Assignees
Labels
Area/Cloud/AWS Area/Documentation Enhancement/User End-User Enhancement to Velero Help wanted Icebox We see the value, but it is not slated for the next couple releases. Reviewed Q2 2021

Comments

@geofffranks
Copy link

What steps did you take and what happened:
We deployed velero v1.2.0-beta1 in an attempt to use AWS IAM backed Service Accounts in EKS, as described in #1965. When velero started, it failed with the following error:

time="2019-10-28T19:46:05Z" level=info msg="Checking that all backup storage locations are valid" logSource="pkg/cmd/server/server.go:421"
An error occurred: some backup storage locations are invalid: error getting backup store for location "default": rpc error: code = Unknown desc = WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token
caused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied

What did you expect to happen:

Velero to start up and work

The output of the following commands will help us better understand what's going on:

  • kubectl logs deployment/velero -n velero
time="2019-10-28T19:46:05Z" level=info msg="Checking that all backup storage locations are valid" logSource="pkg/cmd/server/server.go:421"
An error occurred: some backup storage locations are invalid: error getting backup store for location "default": rpc error: code = Unknown desc = WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token
caused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied

Anything else you would like to add:

This looks similar to the issue described here: kubernetes-sigs/external-dns#1185, so I applied the fix to our velero deployment yaml, and that resolved the issue. Is this something that can be added to the velero cli's auto-generated deployment yaml?

securityContext:
        fsGroup: 65534
@redradrat
Copy link

redradrat commented Oct 28, 2019

I can confirm this. Adding the securityContext "fixes" the issue. @geofffranks thanks for pointing to this.

@skriss
Copy link
Contributor

skriss commented Oct 28, 2019

thanks for reporting @geofffranks -- will take a more detailed look and decide how to proceed.

@skriss
Copy link
Contributor

skriss commented Dec 6, 2019

Transferring this to the AWS plugin repo. I think for now we probably want to just document this for AWS users using this setup.

@skriss skriss transferred this issue from vmware-tanzu/velero Dec 6, 2019
@skriss skriss changed the title [v1.2.0-beta1] Cannot load AWS token file Cannot load AWS token file when using AWS IAM-backed service accounts Dec 9, 2019
@garystafford
Copy link

garystafford commented Feb 12, 2020

Confirming as of today, 2/12/2020, this issue still exists, and the fix, referenced above by @geofffranks, still works.

@acegrader33
Copy link

Issue still exists 3/25/2020, fix referenced above still works for resolving the listed error.

However, depending on networking configuration, there can be an additional error where velero cannot reach the sts.amazonaws.com endpoint which prevents use of the AWS IAM-backed service accounts. This would be fixed by using a newer version of the aws-sdk though since additional environment variables become available to configure the STS endpoint in v1.25.18.

Are there any plans to update the plugin to use a newer version of the aws-sdk?

@airwalk225
Copy link

airwalk225 commented Sep 16, 2020

Confirmed that this issue still exists.

The fix suggested by @geoffranks still works.
The fix also works if you are installing via the Helm chart.

@carlisia
Copy link
Contributor

Update:

As per @zubron on a different ticket related to this:

The core issue seems to be that all containers for Velero run as user nobody and the service account token is mounted with permissions 0600 preventing non-root users from reading the file (see kubernetes/kubernetes#82573). This issue has been resolved in Kubernetes and looks like it was released in v1.19.0. I don't know how that fix will be made available in EKS or whether there is more to do on the Velero side.

Action needed: document the workaround and also the fact that it is addressed on k8s v1.19.0.

@nrb nrb transferred this issue from vmware-tanzu/velero-plugin-for-aws Dec 7, 2020
@eleanor-millman eleanor-millman added Reviewed Q2 2021 Icebox We see the value, but it is not slated for the next couple releases. labels May 10, 2021
@eleanor-millman
Copy link
Contributor

This would probably go under limitations in the AWS Plugin readme.

@a-mccarthy
Copy link
Contributor

This information has been updated on the AWS plugin docs, https://github.com/vmware-tanzu/velero-plugin-for-aws#install-and-start-velero

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area/Cloud/AWS Area/Documentation Enhancement/User End-User Enhancement to Velero Help wanted Icebox We see the value, but it is not slated for the next couple releases. Reviewed Q2 2021
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants