[NEXUS-30056] AWS IRSA service account doesn't work - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: New
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.36.0
Fix Version/s: None
Component/s: Blobstore, S3
Labels:
- triaged

Description

The same bug was opened before but was closed

you can get Error "org.sonatype.nexus.blobstore.s3.internal.S3BlobStoreException: Bucket exists but is not owned by you" as Nexus doesn't use Service Account Token (IRSA) properly

Several people still have an issue with EKS IRSA Service Account
more details you can read in this comment https://issues.sonatype.org/browse/NEXUS-24019?focusedCommentId=1090798&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-1090798

If connect to Nexus k8s Pod and run

env
#AWS_ROLE_ARN=<NEXUS_IAM_ROLE>
#AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

 aws s3api get-bucket-acl --bucket <NEXUS_BLOBSTORE_BUCKET_NAME>
{
 "Owner": {
 "DisplayName": "XXXX",
 "ID": "XXXX"
 },
 "Grants": [
 {
 "Grantee": {
 "DisplayName": "XXXX",
 "ID": "XXXX",
 "Type": "CanonicalUser"
 },
 "Permission": "FULL_CONTROL"
 }
 ]
}

everything is ok

but Nexus source code can not reuse these creds for S3 bucket actions

Attachments

Issue Links

relates

NEXUS-24019 Use newer AWS SDK to support IRSA

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Artem

Last Updated By:: Matthew Piggott

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 11/29/21 02:28 PM

Updated:: 02/02/22 05:14 PM

Date of First Response:: 16/Dec/21 8:56 PM