You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After installing my crossplane package into the cluster, the providers (s3,iam) are automatically using the aws credentials from the ProviderConfig.
But this should be now reworked to use IRSA. After I changed the ProviderConfig to IRSA and install the crossplane package, the new created providers pods (for s3, iam) does not use IRSA, meaning the created service accounts for the providers pods does not have annotation with that IAM role.
When I will be installing the crossplane package to different eks clusters in different AWS accounts, the IAM role will be always different. This is why I need that after the package installation, the newly created providers will AUTOMATICALY use IRSA.
I didnt find (or did not figure it out) documentation, how to do it.
But there is a problem. You are pointing to docu, where you are manually creating providers and there you can configure ControllerConfig, Provider and ProviderConfig:
When you say "OCI image" I assume you mean the Providers that are installed by the package manager as a dependency from the Configuration.
There isn't currently a way to configure these Providers with DeploymentRuntimeConfigs to allow for IRSA. It does seem like all of the providers for a given family could share the same DeploymentRuntimeConfig and maybe use label selection to determine a default instance to use if none is specified. There was a similar question about this on Slack - https://crossplane.slack.com/archives/CEG3T90A1/p1713391580418069 so it's probably something we should look into.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Issue link: #5598
Hi, I'd like to kindly ask for help.
I'm have crossplane package with following content:
The configuration file looks like this:
Now in the cluster, there is already installed default ProviderConfig:
After installing my crossplane package into the cluster, the providers (s3,iam) are automatically using the aws credentials from the ProviderConfig.
But this should be now reworked to use IRSA. After I changed the ProviderConfig to IRSA and install the crossplane package, the new created providers pods (for s3, iam) does not use IRSA, meaning the created service accounts for the providers pods does not have annotation with that IAM role.
When I will be installing the crossplane package to different eks clusters in different AWS accounts, the IAM role will be always different. This is why I need that after the package installation, the newly created providers will AUTOMATICALY use IRSA.
I didnt find (or did not figure it out) documentation, how to do it.
Could anybody please help?
Beta Was this translation helpful? Give feedback.
All reactions