New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not able to use AWS IAM role in harbor registry with pre-release v2.5.0-rc1 for AWS S3 backend #16490
Comments
It seems that distribution v2.8 supports this feature, the Harbor replication needs to change for this feature |
I'm running Harbor v2.5.0 and still unable to use S3 backed storage for the registry when assuming an IAM role.
Replication logs:
If I turn S3 back off this starts working again. The IAM Role linked to the SA is definitely authorised to use S3. |
@MinerYang @wy65701436 @YangJiao0817 can you comment please? |
I am still running into this issue using 2.6.0, it seems that the SDK can't find the credentials mounted in the registry pod for whatever reason. I am getting the following in the registry logs:
I am not sure if this is just an old AWS SDK version or something else, I have tried re-deploying the pods and verified that the token is mounted in the pod at the standard |
I have the same problem as the previous speakers described. Is there any news yet? |
Hi @MinerYang @wy65701436 @YangJiao0817, quite a few people seem to be seeing this issue now. Can you share an update please? |
Hi @MinerYang @wy65701436 @YangJiao0817 @Vad1mo @goharbor/all-maintainers anyone can provide feedback on the issue ? Thank you! |
This is a duplicate of #12888 see my note #12888 (comment) |
@Vad1mo why did you reopen it ? :) |
I am still unsure if we should keep it open or only close it once it is resolved upstream. Given the velocity of Docker Distribution this won't happen within the next 90 days. |
it looks like it is fixed in the main branch of distribution github repo. Any plan on a release supporting irsa? Thanks! |
I believe, no. Support of IRSA isn't available in any of distribution releases. It's present only in main branch. It isn't feasible for harbor to depend on some arbitrary git sha from distrubution repo. Feel free to address this to distribution, so they actually release next version with this feature. |
Just to link this from here... distribution/distribution#3756 Would be really nice if they cut a release so we could get this sorted. |
Since harbor leverages the upstream distribution to interact with the AWS, we will keep eyes on the upstream release, as soon as a newer version becomes available, Harbor will bump. |
as per the distribution discussion:
@wy65701436 is it at all possible to pin to an edge tag with the aws-sdk-go updates included? Distribution will never push this update (until v3.0, but who knows when that will be ready) |
We just ran into this when setting up harbor. Quite a bummer to be honest. Given the mentioned comment from the discussion, I second the idea of pinning an edge tag for distribution. |
Hi @wy65701436, any update on if this is possible? This would really help us move through this long standing blocker! |
Alternatively to using a distribution edge tag, a less invasive approach could be to use the 2.8.1 distribution source code and only update the aws-sdk-go package to at least 1.23.13 (according to AWS docs) via a patch file. Something similar is already done for redis. Not sure how much pain that would be, e.g. due to possible breaking changes in the aws-go-sdk, but might be worth a shot. |
We already apply patches from upstream docker distribution, but only if they are merged but not yet released. It's easy, see this PR for reference #16322 |
I already gave it a shot, so far unfortunately unsuccessful. I must admit, I am not too familiar with how golang handles dependencies, nor with the harbor build setup. The change from a vendor.conf to golang modules within distribution doesn't make it easier. What I tried so far:
I'll be gone on vacation for the next week, if no-one else picks up this task until then and depending on my workload, I'll probably resume working on this on the 3rd (and bring along a colleague with more golang experience than I have 😅). |
P.S.: just did some more issues digging. It appears that, contrary to what the discussion in the linked issue led me to believe, the current distribution edge release actually does not support IRSA (anymore?) according to distribution/distribution#3275 (comment). So if anyone wants to tackle this, you would probably want to look at getting it working on distribution edge first, before attempting to backport support to 2.8.1 via patch file within harbor. |
Same Issue has been raised here #18699. Closed as duplicate. Hello Team, Given that the AWS SDK supports assuming a role , pods running in EKS/GKE with the storage target as AWS S3 should be able to assume a role to connect to the S3 buckets. Example or Brief can be found here : https://confluence.eng.vmware.com/display/public/AEAV/Service+User+Model Versions: harbor version: [2.3.3] (via helm chart) Expected behavior and actual behavior:
It would be great if this feature request can be prioritised as BLOKER : Currently It is a Hard blocker from Harbor for us to get TanzuNet Production AWS accounts to get on-boarded with VMware CloudGate. Having this feature request implemented resolves our blocker. Let me know if any further details are required. Thanks, |
To add weightage, |
To add another datapoint: lack of assume role support is making it very difficult for us to use Harbor in a high security compliance environment in the financial services industry. It's not quite a total blocker but it's certainly costing a lot of effort in terms of security/compliance exception management :) |
In case anyone cares, this issue seems to be the same if using IMDSv2 when running harbor on EC2 instances and trying to use the instance role. Increased the hops to 4 and it still wasnt working until i set http-tokens to optional |
2nd that , enforced IMDSv2 to meet Security standards (NIST) and Harbor cannot access the S3 bucket by Assume Role anymore. I will stop reading the release notes hoping for a fix then. |
Anyone have any update on this. Looks like we are waiting for distribution v3 to be released? |
Expected behavior and actual behavior:
Should be able to replicate the harbour images to an AWS S3 storage bucket.
As per this PR #16435 which is included in pre-release v2.5.0-rc1 there should now be support for IAM roles for Service Accounts in AWS EKS. This does now work for harbor chartmuseum but we still have an issue with harbor registry (see error log below).
Steps to reproduce the problem:
Create a replication rule to pull from AWS ECR with a destination endpoint of an S3 bucket. Fails to write the images due to an AWS credentials issue. The harbor registry pod has the correct service account mounted with the correct IAM privileges to access and write to the S3 bucket.
Versions:
goharbor/registry-photon:v2.5.0-rc1
goharbor/harbor-registryctl:v2.5.0-rc1
Additional context:
harbor helm values:
persistence:
imageChartStorage:
type: s3
s3:
bucket: my-aws-s3-bucket
region: eu-west-1
Error message in harbor registry pod when trying to replicate image to an AWS S3 backend using a service account and IAM policy:
The text was updated successfully, but these errors were encountered: