I have an EKS cluster with a Fargate profile for compute. I've configured the Pod execution role on the Fargate profile with the 2 managed policies.
- AmazonEKSFargatePodExecutionRolePolicy
- AmazonDynamoDBFullAccess
The code is run as a CronJob, it starts off by pulling a configuration from DynamoDb:
dynamodb = boto3.resource('dynamodb', region_name=region)
table = dynamodb.Table(table_name)
response = table.get_item(
Key = {
'Id': config_id
})
When the code reaches this point it always exceptions out with:
raise NoCredentialsError()
botocore.exceptions.NoCredentialsError: Unable to locate credentials
I know I can pass the AWS credentials straight in when I initialise the boto3 client but I don't want to do that for security reasons.
I had originally tested the code using an EC2 instance in an auto-scaling group for compute instead of Fargate, which worked.
How do I resolve this error?
CodePudding user response:
Following all 3 steps in this guide addressed the issue.
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
The problem lay with the service account that was executing the code in my pod.
You need to attach a role to the service account itself. In my implementation I created a new service account, in theory I could have a separate service account with separate permissions per pod.
apiVersion: v1
kind: ServiceAccount
metadata:
name: your-custom-service-account
namespace: default
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::12345678910:role/CustomServiceAccountRole
eks.amazonaws.com/sts-regional-endpoints: 'true'
and then make sure that account is the service account associated with the pod.
spec:
serviceAccountName: your-custom-service-account
If you don't specify a service account for your pod then it defaults to the 'default' service account that is present in the cluster.