-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
token is not refreshed when running in k8s pod connected to serviceaccount #736
Comments
Can you please share the logs around the time mount-s3 loses access to the s3 bucket. What is the error that you receive? Thanks. |
i don't have the logs anymore, but i received an http 403 error |
Yes. Could you please simulate it again, and provide the logs? |
Hey @coolstim. Please use the |
atm we abandoned the use of mountpoint-s3 because of performance issues, we now use lustre fsx with a data repository association to s3 which performs a whole lot better. |
Glad you were able to move forward for your use case. I do want to make sure we solve this issue for anyone else who may face it, so I will leave this open for now and we'll investigate further on our side.
Are you able to confirm which token you believed was expiring? Was it the web identity token, the IAM session, or unclear? |
unclear tbh |
I don't have anything to share on investigating this issue right now, but I'm noting down some of the thoughts @vladem and I had last week on this issue.
Next steps
|
Mountpoint for Amazon S3 version
1.1.0
AWS Region
us-east-1
Describe the running environment
Running on EKS
mount-s3 is running in a container part of pod that uses a serviceaccount.
The serviceaccount is annotated with
eks.amazonaws.com/role-arn=arn:aws:iam::xxx:role/mounts3role
The mounts3role has the needed permissions on an s3 bucket
Expected behavior:
mount-s3 retains access to the s3 bucket even when the process runs longer than the token expiration time.
Actual behavior:
mount-s3 loses access to the s3 bucket when the process runs longer than the token expiration time.
It seems that the token refresh is not implemented correctly
Mountpoint options
mount-s3 -f test /s3/bucket --allow-other --auto-unmount --read-only --region us-east-1 --prefix source-data/
What happened?
mount-s3 loses access to the s3 bucket when the process runs longer than the token expiration time.
Relevant log output
No response
The text was updated successfully, but these errors were encountered: