/chart - singleuser.extraAnnotations doesn't work role with aws

Gustavo_Ciria · June 25, 2021, 12:40pm

Bug description

I can’t connect to my s3 bucket using my role in extraAnnotations.

Example:

  events: true
  extraAnnotations:
    iam.amazonaws.com/role: my-role
  extraLabels:
    hub.jupyter.org/network-access-hub: "true"

The annotation is created in the pod, but through the terminal, I can’t list my buckets.

Previous versions worked. Latest version does not work either.

If I upload a POD with any image manually using this annotation, I have access to AWS without credentials using my role. Only with chart does not work.

Expected behaviour

When adding role, it should be possible to connect to aws using awscli in notebook.

Actual behaviour

Prompts for credentials and no communication with kube2iam takes place.

Unable to locate credentials. You can configure credentials by running "aws configure".

How to reproduce

Add role in singleuser notes and try to access AWS.

Your personal set up

EKS 1.17
HELM 3
CHART 0.11.1
APP 1.3.0
kube2iam

manics · June 25, 2021, 6:31pm

Hi! Could you show us your full Z2JH configuration, with secrets redacted?

Gustavo_Ciria · June 25, 2021, 6:57pm

Hi guys!
I just found the solution.

It is necessary to disable singleuser.cloudMetadata (false)
That way singleuser annotations can communicate with AWS, and my aws s3 ls worked

Thanks for listening

Topic		Replies	Views
IAM role not working for S3 storage of notebook code Zero to JupyterHub on Kubernetes	2	1397	September 25, 2020
User Specific AWS secrets Zero to JupyterHub on Kubernetes	1	1022	October 20, 2020
JupyterHub user pod can't assume EKS node role Zero to JupyterHub on Kubernetes	0	403	May 13, 2022
Access S3 Bucket from Jupyter Notebook JupyterHub	3	4111	December 14, 2021
Jupyterhub sharing notebooks between users in Elastic Kubernetes Service Zero to JupyterHub on Kubernetes how-to , help-wanted	2	1078	September 14, 2022