-
Notifications
You must be signed in to change notification settings - Fork 530
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.2.2 regression: S3 storage does not work with AWS IRSA authentication anymore #2888
Comments
I found a workaround for this issue: after blocking access to IMDS Tempo uses IRSA credentials again. |
Facing same issue on EKS after upgrade to Tempo 2.2.2. In my case proposed workaround requires complex changes and I don't consider it as something simple to implement. For now I reverted to 2.2.1 and waiting fix in Tempo. |
Hi folks. I've opened this PR #2889, which should fix the error you're seeing. I've manually tested it, but it'd be great if you're able to test it in your environments as well 🙏 . To create a build from the PR, checkout the branch and run |
Thanks @mapno for providing a bug fix! |
This doesn't actually seem to fix anything. I am still getting |
This is also more complicated than it needs to be ... the minio client chain works without needing separate options to turn it on or off. https://github.com/restic/restic/blob/master/internal/backend/s3/s3.go#L63C1-L95C3 |
I am not an expert on s3 auth so I can't say for sure what the right fix is here. The config option added If you can suggest/PR a series of credential checks that works for all parties we would be love to integrate it into the codebase. Please let us know 🙏 |
Ha, just saw your PR! thanks :). taking a look now |
@joe-elliott all good. I just happened to hit the issue and comment and then take a look at the code and realize that I just ran into this on another project using minio SDK and decided to fix it. Let me know if you need anything. |
When will this issue be resolved? We are deploying the operator pattern using helm. Looking forward to a solve. Best |
We are struggling to get a fix b/c it's difficult for us to test all of the different AWS auth modes. There is a proposed fix here: The author included an image. Can you test to see if this works for you? |
For me adding an extraEnv to specify the token file fixed my s3 issues
|
Describe the bug
After upgrading Tempo from
2.2.1
to2.2.2
our Tempo instances could no longer access S3. We use AWS IRSA 1 to provide AWS credentials.The regression seems to be introduced by #2871
My current guess is the AWS SDK now prefers the EC2 instance role over IRSA.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Tempo should continue to use the AWS IRSA provided credentials.
Environment:
Additional Context
Service logs (compactor):
AWS environment variables in a running container:
Storage configuration (copied from
tempo-distributed
Helm values):Footnotes
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html ↩
The text was updated successfully, but these errors were encountered: