无法从链中的任何提供程序加载AWS凭证：WebIdentityTokenCredentialsProvider：无法找到指定的Web身份令牌文件

Question

我正在使用aws eks fargate deployment.yaml文件部署服务，并且我的服务将连接到dynamodb，并且在加载ID时会引发错误。即使我通过执行以下命令获得了Web令牌文件。

kubectl exec -n first-namespace first-deployment-fhghgj567kkk-257xq env | grep AWS

AWS_REGION=us-east-1
AWS_ROLE_ARN=arn:aws:iam::263011912432:role/firstRole
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

但是仍然会引发以下错误。

Caused by: com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: 
[EnvironmentVariableCredentialsProvider: 
Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) 
and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), 
SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), 
WebIdentityTokenCredentialsProvider: Unable to locate specified web identity token file: 
/var/run/secrets/eks.amazonaws.com/serviceaccount/token, 
com.amazonaws.auth.profile.ProfileCredentialsProvider@7b58e085: profile file cannot be null, 
com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@39cb0014: Failed to connect to service endpoint: ]

我将其放入容器中，并检查令牌是否仍存在。

有人可以帮忙吗？谢谢

Answer 1

我有一个类似的问题，就我而言，我必须升级java sdk并添加一个服务帐户，我没有尝试自己调用dynamo，但是s3和lambdas可以正常工作。这是我遵循的步骤，这是docs链接：https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html

首先，启用OIDC

eksctl utils associate-iam-oidc-provider --cluster cluster_name --approve

然后创建并应用您的服务帐户，请注意，该角色必须有权访问您要使用的任何服务（发电机）：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: fargateserviceaccount
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT:role/MY_ROLE_NAME

在您的窗格上，定义服务帐户和env变量：

spec:
  serviceAccountName: <ServiceAccountName> (kubectl get sa)
  containers:
    - name: java-api
      image: <AccountID>.dkr.ecr.us-east-1.amazonaws.com/<Repo>:<tag>
      env:
        - name: AWS_REGION
          value: us-east-1

最后在代码中使用WebIdentityTokenCredentialsProvider

// Create Credentials provider using ENV variables -> Service account is used to run  Fargate
WebIdentityTokenCredentialsProvider awsCredentialProvider = WebIdentityTokenCredentialsProvider.builder()
        .roleArn(System.getenv("AWS_ROLE_ARN"))
        .roleSessionName(System.getenv("AWS_ROLE_SESSION_NAME"))
        .webIdentityTokenFile(System.getenv("AWS_WEB_IDENTITY_TOKEN_FILE"))
        .build();
// Build client using explicit credentials provider
AWSLambdaClientBuilder builder = AWSLambdaClientBuilder.standard()
        .withRegion(REGION)
        .withCredentials(awsCredentialProvider);
client = builder.build();