Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does Atlantis support EKS Pod Identity? #5344

Open
younsl opened this issue Feb 19, 2025 · 0 comments
Open

Does Atlantis support EKS Pod Identity? #5344

younsl opened this issue Feb 19, 2025 · 0 comments
Labels
question Further information is requested

Comments

@younsl
Copy link

younsl commented Feb 19, 2025
edited
Loading

I've been using Atlantis with IRSA (IAM Roles for Service Accounts) in a hub-and-spoke architecture, where the hub IAM role assumes spoke IAM roles. This keyless setup (no IAM users, only roles) worked perfectly.

However, I noticed there's no documentation about EKS Pod Identity (the successor to IRSA) in the official Atlantis docs. I'm trying to migrate from IRSA to EKS Pod Identity with this configuration:

# charts/atlantis/my_values.yaml
aws:
  config: |
    [profile default]
    region = ap-northeast-2
    role_arn = arn:aws:iam::123456789:role/my-atlantis-podid-role
    web_identity_token_file = /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token

Hub IAM Role (my-atlantis-podid-role) has the correct trust relationship allowing pods.eks.amazonaws.com service to assume this role.

Image

EKS Pod Identity mutating webhook successfully mounts the service account token to atlantis v0.32.0 pod:

# atlantis pod's spec
spec:
  volumes:
  - name: eks-pod-identity-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: pods.eks.amazonaws.com
          expirationSeconds: 86400
          path: eks-pod-identity-token
atlantis-0:/var/run/secrets/pods.eks.amazonaws.com/serviceaccount$ ls -lh /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/
total 0
lrwxrwxrwx    1 root     atlantis      29 Feb  7 08:22 eks-pod-identity-token -> ..data/eks-pod-identity-token

But running atlantis plan in PRs fails with this No valid credential sources found error:

running 'sh -c' '/atlantis-data/bin/terraform1.10.5 init -input=false -upgrade' in '/<REDACTED>': exit status 1
Initializing the backend...
Upgrading modules...
Downloading git::https://<REDACTED>/<ORG>/<REPO>.git for ecr...
- ecr in .terraform/modules/ecr/modules/aws/ecr
╷
│ Error: No valid credential sources found
│ 
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, failed to retrieve
│ credentials, operation error STS: AssumeRoleWithWebIdentity, exceeded
│ maximum number of attempts, 3, https response error StatusCode: 400,
│ RequestID: b70056e4-9983-4a7b-aa4a-6a19b4f84685, InvalidIdentityToken:
│ Incorrect token audience
│ 
╵

Questions:

  1. Does atlantis officially support EKS Pod Identity?
  2. Is this the correct configuration approach to use EKS Pod Identity?
  3. Are there any additional settings needed?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@younsl