-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to use AWS IAM role for S3 backend storage #794
Comments
Any update on this? Thanks. |
Created PR - #811 |
Would be nice to get this released as v1.1.2 |
@davidg-sainsbury did you manage to run Harbor with IAM role on EKS? I'm trying to do the same thing, but even with your fix, I believe I'm hitting this issue: distribution/distribution#3275 Switching to an IAM account with the same policies works just fine, but I get access denied errors when no credentials are specified. Unfortunately, it's not really easy to determine what kind of access the registry is trying to use. |
We switched to the helm version of harbor rather than using the operator before I had chance to test this. However, we are are experiencing the same issue as you and are waiting for the fix in the distribution engine - goharbor/harbor#16435. As per your link to the issue, until distribution is using the newer AWS SDK you won't be able to use the AWS IAM permissions to access S3 from the harbor registry pods. |
Thanks for the confirmation @davidg-sainsbury ! |
@sagikazarmark - harbor registry still has an issue with access to S3 via IAM roles with the latest pre-release of Harbor - v2.5.0-rc1 goharbor/harbor#16490. ChartMusuem appears to be fixed. |
Any further updates on this? Is STS : https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html perhaps a viabale workaround? |
Hey folks, I'd like to know if this already fixed or not? I'm having trouble s3 storage backends using IaM roles and IRSA, but I'm not sure if this a problem on my end or generally still not solved. Appreciate any feedback. |
It is an issue in Harbor operator, not in Harbor
Harbor operator should remove this access key/secret key check |
@stonezdj it is not resolved for IRSA in EKS, which is still unsupported by Harbor as of writing. |
Any chances to have IRSA support ? :( using 2.9.0 |
Expected behavior and actual behavior:
The registry pod via a Kubernetes ServiceAccount and IAM policy should be able to access an S3 bucket as backend storage.
Steps to reproduce the problem:
ServiceAccount snippet:
IAM Policy
Versions:
Please specify the versions of following systems.
Additional context:
registry operator errors when trying to create the deployment:
If I create a secret (key=secret) modify the harbor-cluster config to include the
secretkeyref
for that secret the registry pod starts but still fails to access the S3 bucket as it appears it's not using the IAM policy via SA.Refering to the implementation of the S3 https://docs.docker.com/registry/storage-drivers/s3/ then it should only be included if you are using the AWS secret credentials rather then role/policy.
In your CRD for
harborcluster
only bucket and region are required fields.required:
- bucket
- region
However, in this PR #266 the
secretkeyref
is always expected but if that is the case then we can't use IAM roles as per the implementation of the S3 https://docs.docker.com/registry/storage-drivers/s3/The text was updated successfully, but these errors were encountered: