You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Joe Petitti (Jira)" <ji...@apache.org> on 2022/07/26 15:11:00 UTC

[jira] [Created] (NIFI-10280) NiFi pods don't use IRSA role

Joe Petitti created NIFI-10280:
----------------------------------

             Summary: NiFi pods don't use IRSA role
                 Key: NIFI-10280
                 URL: https://issues.apache.org/jira/browse/NIFI-10280
             Project: Apache NiFi
          Issue Type: Bug
    Affects Versions: 1.16.3
         Environment: Kubernetes
            Reporter: Joe Petitti


I have NiFi deployed on a kubernetes cluster using IAM Roles for Service Accounts. I've verified that the service account token is being injected into the pods, is readable by the nifi user, and is a valid token. The environment variables `AWS_WEB_IDENTITY_TOKEN_FILE`, `AWS_ROLE_ARN`, `AWS_REGION`, and `AWS_DEFAULT_REGION` are set in the pods properly too. On the AWSCredentialsProviderControllerService I have "Use Default Credentials" set to true. But NiFi seems to be ignoring the web identity environment variables and just using the node's IAM role instead.

NiFi 1.16.3 uses aws-sdk-java version 1.12.182, which should be high enough to use IRSA by default above node role according to [this issue|[https://github.com/aws/aws-sdk-java/issues/2136],] so I'm not sure why the environment variables are being ignored. Any help would be greatly appreciated.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)