Add EKS tutorial with service account setup. #4669
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ChillFish8
reviewed
Mar 4, 2024
| "Condition": { | ||
| "StringEquals": { | ||
| "oidc.eks.${REGION}.amazonaws.com/id/${CLUSTER_ID}:aud": "sts.amazonaws.com", | ||
| "oidc.eks.${REGION}.amazonaws.com/id/${CLUSTER_ID}:sub": "system:serviceaccount:${S3_BUCKET}:${SERVICE_ACCOUNT_NAME}" |
There was a problem hiding this comment.
Suggested change
| "oidc.eks.${REGION}.amazonaws.com/id/${CLUSTER_ID}:sub": "system:serviceaccount:${S3_BUCKET}:${SERVICE_ACCOUNT_NAME}" | |
| "oidc.eks.${REGION}.amazonaws.com/id/${CLUSTER_ID}:sub": "system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT_NAME}" |
Think you meant to use NAMESPACE here rather than bucket
ChillFish8
reviewed
Mar 4, 2024
| To access the UI, you can run the following command and then open your browser at [http://localhost:7280](http://localhost:7280): | ||
|
|
||
| ``` | ||
| kubectl port-forward svc/{release-name}-quickwit-searcher 7280:7280 |
There was a problem hiding this comment.
Suggested change
| kubectl port-forward svc/{release-name}-quickwit-searcher 7280:7280 | |
| kubectl port-forward svc/quickwit-searcher 7280:7280 |
Kubetcl seems to not want the release name there
Comment on lines
+81
to
+85
| "s3:AbortMultipartUpload", | ||
| "s3:DeleteObject", | ||
| "s3:GetObject", | ||
| "s3:ListMultipartUploadParts", | ||
| "s3:PutObject" |
There was a problem hiding this comment.
If the object that you request doesn’t exist, the error that Amazon S3 returns depends on whether you also have the s3:ListBucket permission.
- If you have the s3:ListBucket permission on the bucket, Amazon S3 returns an HTTP status code 404 Not Found error.
- If you don’t have the s3:ListBucket permission, Amazon S3 returns an HTTP status code 403 Access Denied error.
(extract from https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html)
we probably need s3:ListBucket (or to handle errors differently), at least when initializing the metastore for the first time
it's a permission to have on arn:aws:s3:::${S3_BUCKET} directly, and not arn:aws:s3:::${S3_BUCKET}/*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.