Use assume role with web identity in order to use iam role for service account in EKS

[Kent1]

Please specify whether your issue is about:

• a possible bug
• a question about package functionality
• a suggested code or documentation change, improvement to the code, or feature request

We do have jupyterhub running in EKS. Each jupyter pods uses iam role for service account in order to have access to s3, etc. That works fine with python boto3 and awscli.

However, in R, the only thing i see is the role attached to the worker node, which is not the correct role.

Is there a way to use the same authentication mechanism than awscli or boto3 ? If not, is there a way to use assume role with webidentity ?

Put your code here:

## load package
library("aws.s3")
library("aws.signature")
library("aws.iam")

## code goes here

> get_caller_identity()

$Account  '012345678910'
$Arn  'arn:aws:sts::012345678910:assumed-role/eks-node-group-dev040/i-01adcd0b33f520bf9'
$UserId  'AROAQT5SGVC3YD227SYGI:i-01adcd0b33f520bf9'

> assume_role("arn:aws:iam::01234567810:role/terraform/jupyterhub/dev040-jupyterhub", "test", use=TRUE, key=NULL, secret=NULL, session_token="eyJhbGciOiJSUzI....")

Warning message in stsHTTP(query = query, ...):
“Forbidden (HTTP 403).”
List of 3
 $ Code   : chr "AccessDenied"
 $ Message: chr "User: arn:aws:sts::01234567810:assumed-role/eks-node-group-dev040/i-01adcd0b33f520bf9 is not authorized to per"| __truncated__


## session info for your system
sessionInfo()
R version 4.0.3 (2020-10-10)
Platform: x86_64-conda-linux-gnu (64-bit)
Running under: Ubuntu 20.04.1 LTS

Matrix products: default
BLAS/LAPACK: /opt/conda/lib/libopenblasp-r0.3.12.so

locale:
 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C              
 [3] LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8    
 [5] LC_MONETARY=en_US.UTF-8    LC_MESSAGES=en_US.UTF-8   
 [7] LC_PAPER=en_US.UTF-8       LC_NAME=C                 
 [9] LC_ADDRESS=C               LC_TELEPHONE=C            
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C       

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

other attached packages:
[1] aws.iam_0.1.8       aws.signature_0.6.0 aws.s3_0.3.21      

loaded via a namespace (and not attached):
 [1] aws.ec2metadata_0.2.0 digest_0.6.27         crayon_1.3.4         
 [4] IRdisplay_0.7.0       R6_2.5.0              repr_1.1.0           
 [7] lifecycle_0.2.0       jsonlite_1.7.1        evaluate_0.14        
[10] httr_1.4.2            pillar_1.4.7          rlang_0.4.9          
[13] curl_4.3              uuid_0.1-4            xml2_1.3.2           
[16] ellipsis_0.3.1        IRkernel_1.1.1        tools_4.0.3          
[19] compiler_4.0.3        base64enc_0.1-3       htmltools_0.5.0      
[22] pbdZMQ_0.3-3.1

[mohamedimranveeva]

@Kent1 hi did you manage to work around this issue? i am having a same problem. please update. thanks

[Kent1]

I can't remember sorry. I was helping some dev with R code, but I am not an R dev myself.

[jspiewak]

See cloudyr/aws.signature#62 and cloudyr/aws.signature#63
Looks like support is written, but not released.