Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30056

AWS IRSA service account doesn't work

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.36.0
    • Fix Version/s: None
    • Component/s: Blobstore, S3
    • Labels:

      Description

      The same bug was opened before but was closed

      you can get Error "org.sonatype.nexus.blobstore.s3.internal.S3BlobStoreException: Bucket exists but is not owned by you" as Nexus doesn't use Service Account Token (IRSA) properly

      Several people still have an issue with EKS IRSA Service Account
      more details you can read in this comment https://issues.sonatype.org/browse/NEXUS-24019?focusedCommentId=1090798&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-1090798

      If connect to Nexus k8s Pod and run

      env
      #AWS_ROLE_ARN=<NEXUS_IAM_ROLE>
      #AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
      
       aws s3api get-bucket-acl --bucket <NEXUS_BLOBSTORE_BUCKET_NAME>
      {
       "Owner": {
       "DisplayName": "XXXX",
       "ID": "XXXX"
       },
       "Grants": [
       {
       "Grantee": {
       "DisplayName": "XXXX",
       "ID": "XXXX",
       "Type": "CanonicalUser"
       },
       "Permission": "FULL_CONTROL"
       }
       ]
      }
      

      everything is okĀ 

      but Nexus source code can not reuse these creds for S3 bucket actions

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              azhurbilo Artem
              Last Updated By:
              Matthew Piggott Matthew Piggott
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title