LIQO not working with AWS federated user (using STS Security Token Service) #1410
Comments
|
Any update here? |
|
Hi @agulhane-tibco! Sorry for the late answer. The AWS STS service is not supported currently, you can install liqo by using helm Make sure to set:
|
|
Thanks @aleoli for the response. But can you confirm that in future, AWS STS service support will be included or not? |
|
We should investigate better which is the blocker here. Yet, this is not currently high on our priority list since it is only related to liqoctl install and a workaround exists, unless there is a strong demand from the community |
@agulhane-tibco It depends on the requests coming from the community, and the support we get from interested partners :-) |
|
Hi @aleoli, we tried out the solution which you have provided to Aniket, however it fails to connect to another cluster having liqo installed, below is the error we are getting |
|
Hi @saushind-tibco! It seems that the other cluster (the remote one) is not able to sign a request to the AWS APIs. Can you check the logs of the AuthService in the other cluster and that the AWS IAM keys provided to the remote cluster are valid? |
|
Hi @aleoli , Do liqo create new users for further processing? as our infrastructure is build on STS, our account do not have any provision of creating any new users. is there any workaround to use roles instead of relying on users to be created? |
|
Hi @saushind-tibco! At the moment, the IAM user creation is required, we have to investigate deeper the ways to authenticate remote clusters. |
|
Hi @aleoli We have a limitation providing user creation access to the IAM user, is there any other way we can use it, like pass on a pre-created user that Liqo would use to authenticate the remote cluster? |
|
No, at the moment no other mechanism is currently supported, but we are open to suggestions and contributions from the community to provide it in a future release |
|
@agulhane-tibco I am also using STS and with the 0.6.0, I am able to install The IAM role you are assuming is going to be used to create a liqo-user, since liqo doesn't support IRSA yet. All peering will happen using the same user. If you are still blocked feel free to ping me on slack. |
What happened:
We have AWS account with federated user access. So to connect with AWS account from local machine, we use STS service but while executing "liqoctl install aws" we are receiving error. It seems there is no support from "liqoctl".
As of now I can not see any flags while installing "liqo" on AWS EKS cluster using STS in "liqoctl" command.
Error we are receiving :
-sh-4.2$ liqoctl install eks --eks-cluster-region us-east-2 --eks-cluster-name federations
INFO Installer initialized
ERRO Error retrieving provider specific configuration: failed retrieving cluster information: unable to get cluste
status code: 403, request id: ffde161b-f549
What you expected to happen:
AWS federated user should be able to connect using STS while executing "liqoctl install aws".
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
kubectl version): v1.22 / v1.23The text was updated successfully, but these errors were encountered: