SDK 未使用指定的 IRSA
Sdk is not using designated IRSA
Aws sdk 从 eks 而不是 ec2 获取实例凭证
我正在使用 spring 云 aws 将消息发送到 sns,本地 credential chain 可以很好地处理 .aws/credentials 文件。然而在云中就没那么容易了。
对于云部署,我们正在为服务帐户使用 IAM 角色。在 SDK doc 中,如果没有找到其他凭证链,则凭证链将承担此角色。
这将是简单的方法,但它并没有发生,当 spring 启动时,它以某种方式承担了分配给节点 eks 的角色,理论上它甚至不应该填补,这是不正确的,当我使用 sns 时会导致权限错误。
software.amazon.awssdk.services.sns.model.AuthorizationErrorException: User: arn:aws:sts::*******:assumed-role/eksctl-*******-eks-qa-nodegroup-spo-NodeInstanceRole-*******/i-******* is not authorized to perform: SNS:ListTopics
我尝试了几种方法来正确处理,包括
@Bean
@Primary
public AmazonSNS amazonSns() {
return AmazonSNSClientBuilder.standard()
.withCredentials(new InstanceProfileCredentialsProvider())
.build();
}
cloud:
aws:
credentials:
use-default-aws-credentials-chain: true
和其他一些人。
我隔离了错误,sdk v1负责。我上传了一个纯sdk v2的代码版本,没有修改环境中的任何东西,它可以正常工作,使用凭证链并获得正确的角色。
我已经检查过这个 , and the version used by spring is 1.11.951 and with the pure sdk I used 1.12.142 . The minimum version by the doc 是 1.11.704
如果spring已经提供了这个实现,使用纯sdk v2有点费力,没必要,spring cloud aws V3.0
会默认使用
我的gradle.build
plugins {
id 'org.springframework.boot' version '2.6.2'
id 'io.spring.dependency-management' version '1.0.11.RELEASE'
id 'java'
}
group = 'com.multilaser.worker'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '17'
ext {
set('springCloudVersionAws', "2.3.2")
}
repositories {
mavenCentral()
mavenLocal()
}
configurations {
compileOnly {
extendsFrom annotationProcessor
}
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
implementation 'io.awspring.cloud:spring-cloud-starter-aws'
implementation 'io.awspring.cloud:spring-cloud-starter-aws-messaging'
implementation 'io.awspring.cloud:spring-cloud-aws-autoconfigure'
compileOnly 'org.projectlombok:lombok'
annotationProcessor 'org.projectlombok:lombok'
implementation 'org.springframework.boot:spring-boot-starter-actuator'
annotationProcessor 'org.mapstruct:mapstruct-processor:1.4.2.Final'
}
dependencyManagement {
imports {
mavenBom "io.awspring.cloud:spring-cloud-aws-dependencies:${springCloudVersionAws}"
}
}
depoy.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ----
namespace: ---
labels:
app: ---
spec:
replicas: 1
selector:
matchLabels:
app: ---
template:
metadata:
labels:
app: ---
spec:
serviceAccountName: ----
containers:
- name: ---
image: ---
imagePullPolicy: Always
resources:
requests:
memory: "256Mi"
cpu: "80m"
limits:
memory: "800Mi"
cpu: "500m"
readinessProbe:
failureThreshold: 3
httpGet:
path: /actuator/health
port: 8080
httpHeaders:
- name: X-Custom-Header
value: ReadinessProbe
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
livenessProbe:
failureThreshold: 3
httpGet:
path: /actuator/health
port: 8080
httpHeaders:
- name: X-Custom-Header
value: LivenessProbe
initialDelaySeconds: 35
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 10
envFrom:
- configMapRef:
name: ---
- secretRef:
name: ---
ports:
- containerPort: 8080
- containerPort: 5005
将库 aws-java-sdk-sts 添加到项目中解决了问题
implementation group: 'com.amazonaws', name: 'aws-java-sdk-sts', version: '1.11.951'
Aws sdk 从 eks 而不是 ec2 获取实例凭证
我正在使用 spring 云 aws 将消息发送到 sns,本地 credential chain 可以很好地处理 .aws/credentials 文件。然而在云中就没那么容易了。
对于云部署,我们正在为服务帐户使用 IAM 角色。在 SDK doc 中,如果没有找到其他凭证链,则凭证链将承担此角色。
这将是简单的方法,但它并没有发生,当 spring 启动时,它以某种方式承担了分配给节点 eks 的角色,理论上它甚至不应该填补,这是不正确的,当我使用 sns 时会导致权限错误。
software.amazon.awssdk.services.sns.model.AuthorizationErrorException: User: arn:aws:sts::*******:assumed-role/eksctl-*******-eks-qa-nodegroup-spo-NodeInstanceRole-*******/i-******* is not authorized to perform: SNS:ListTopics
我尝试了几种方法来正确处理,包括
@Bean
@Primary
public AmazonSNS amazonSns() {
return AmazonSNSClientBuilder.standard()
.withCredentials(new InstanceProfileCredentialsProvider())
.build();
}
cloud:
aws:
credentials:
use-default-aws-credentials-chain: true
和其他一些人。
我隔离了错误,sdk v1负责。我上传了一个纯sdk v2的代码版本,没有修改环境中的任何东西,它可以正常工作,使用凭证链并获得正确的角色。
我已经检查过这个
如果spring已经提供了这个实现,使用纯sdk v2有点费力,没必要,spring cloud aws V3.0
会默认使用我的gradle.build
plugins {
id 'org.springframework.boot' version '2.6.2'
id 'io.spring.dependency-management' version '1.0.11.RELEASE'
id 'java'
}
group = 'com.multilaser.worker'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '17'
ext {
set('springCloudVersionAws', "2.3.2")
}
repositories {
mavenCentral()
mavenLocal()
}
configurations {
compileOnly {
extendsFrom annotationProcessor
}
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
implementation 'io.awspring.cloud:spring-cloud-starter-aws'
implementation 'io.awspring.cloud:spring-cloud-starter-aws-messaging'
implementation 'io.awspring.cloud:spring-cloud-aws-autoconfigure'
compileOnly 'org.projectlombok:lombok'
annotationProcessor 'org.projectlombok:lombok'
implementation 'org.springframework.boot:spring-boot-starter-actuator'
annotationProcessor 'org.mapstruct:mapstruct-processor:1.4.2.Final'
}
dependencyManagement {
imports {
mavenBom "io.awspring.cloud:spring-cloud-aws-dependencies:${springCloudVersionAws}"
}
}
depoy.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ----
namespace: ---
labels:
app: ---
spec:
replicas: 1
selector:
matchLabels:
app: ---
template:
metadata:
labels:
app: ---
spec:
serviceAccountName: ----
containers:
- name: ---
image: ---
imagePullPolicy: Always
resources:
requests:
memory: "256Mi"
cpu: "80m"
limits:
memory: "800Mi"
cpu: "500m"
readinessProbe:
failureThreshold: 3
httpGet:
path: /actuator/health
port: 8080
httpHeaders:
- name: X-Custom-Header
value: ReadinessProbe
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
livenessProbe:
failureThreshold: 3
httpGet:
path: /actuator/health
port: 8080
httpHeaders:
- name: X-Custom-Header
value: LivenessProbe
initialDelaySeconds: 35
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 10
envFrom:
- configMapRef:
name: ---
- secretRef:
name: ---
ports:
- containerPort: 8080
- containerPort: 5005
将库 aws-java-sdk-sts 添加到项目中解决了问题
implementation group: 'com.amazonaws', name: 'aws-java-sdk-sts', version: '1.11.951'