Velero: Support for IAM roles for service accounts in EKS

Created on 29 Sep 2020 · 1Comment · Source: vmware-tanzu/velero

Hi, I'm wondering if velero supports IAM roles for service accounts. In the readme the only two options mentioned are an AWS user and kube2iam.

AreClouAWS EnhancemenUser Help wanted Icebox Reviewed Q2 2021

Source

mihail-sky

👍8

Most helpful comment

I configured velero with IAM roles for service accounts:

➜  ~ k -n velero exec -it velero-7bb5c888c4-jv8dj -- env | grep AWS
AWS_ROLE_ARN=arn:aws:iam::[ACCOUNT_ID]:role/pre-dev-velero-role
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

However, it looks like the plugin does not support this option.

➜  ~ k -n velero logs -f velero-7bb5c888c4-jv8dj
time="2020-09-29T11:35:57Z" level=info msg="Checking for existing backup locations ready to be verified; there needs to be at least 1 backup location available" controller=backupstoragelocation logSource="pkg/controller/backupstoragelocation_controller.go:58"
time="2020-09-29T11:37:27Z" level=error msg="Error listing backups in backup store" backupLocation=default controller=backup-sync error="rpc error: code = Unknown desc = AccessDenied: Access Denied\n\tstatus code: 403, request id: D2D87E673B947D97, host id: zbFi7FwLkfKYaAaXboowwkNBxXU8A2z1SA1ofCJ5S2Wwqs1v7AvHQCjFdXgBa3HQq27UU5ufqlw=" error.file="/go/src/github.com/vmware-tanzu/velero-plugin-for-aws/velero-plugin-for-aws/object_store.go:331" error.function="main.(*ObjectStore).ListCommonPrefixes" logSource="pkg/controller/backup_sync_controller.go:175"
time="2020-09-29T11:38:00Z" level=warning msg="The specified default backup location named \"default\" is unavailable; for convenience, be sure to configure it properly or make another backup location that is available the default" backupstoragelocation=default controller=backupstoragelocation logSource="pkg/controller/backupstoragelocation_controller.go:105"
time="2020-09-29T11:38:00Z" level=error msg="Current backup storage locations available/unavailable/unknown: 0/1/0, Backup location \"default\" is unavailable: rpc error: code = Unknown desc = AccessDenied: Access Denied\n\tstatus code: 403, request id: E3B416F2C83195E1, host id: BWLKry8uptDp300YEgU8xCd51qu6BpFBi4QvrQ41QfqOTuGDpxa/SZjx0Wzwdzs6qk+638rqYxc=)" controller=backupstoragelocation logSource="pkg/controller/backupstoragelocation_controller.go:152"

And backup storage output:

➜  ~ k -n velero get backupstoragelocation default
NAME      PHASE         LAST VALIDATED   AGE
default   Unavailable   6s               20h

It would be nice to add support for it as this is a newer solution than kube2iam.

mihail-sky on 29 Sep 2020

👍2

>All comments

I configured velero with IAM roles for service accounts:

➜  ~ k -n velero exec -it velero-7bb5c888c4-jv8dj -- env | grep AWS
AWS_ROLE_ARN=arn:aws:iam::[ACCOUNT_ID]:role/pre-dev-velero-role
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

However, it looks like the plugin does not support this option.

➜  ~ k -n velero logs -f velero-7bb5c888c4-jv8dj
time="2020-09-29T11:35:57Z" level=info msg="Checking for existing backup locations ready to be verified; there needs to be at least 1 backup location available" controller=backupstoragelocation logSource="pkg/controller/backupstoragelocation_controller.go:58"
time="2020-09-29T11:37:27Z" level=error msg="Error listing backups in backup store" backupLocation=default controller=backup-sync error="rpc error: code = Unknown desc = AccessDenied: Access Denied\n\tstatus code: 403, request id: D2D87E673B947D97, host id: zbFi7FwLkfKYaAaXboowwkNBxXU8A2z1SA1ofCJ5S2Wwqs1v7AvHQCjFdXgBa3HQq27UU5ufqlw=" error.file="/go/src/github.com/vmware-tanzu/velero-plugin-for-aws/velero-plugin-for-aws/object_store.go:331" error.function="main.(*ObjectStore).ListCommonPrefixes" logSource="pkg/controller/backup_sync_controller.go:175"
time="2020-09-29T11:38:00Z" level=warning msg="The specified default backup location named \"default\" is unavailable; for convenience, be sure to configure it properly or make another backup location that is available the default" backupstoragelocation=default controller=backupstoragelocation logSource="pkg/controller/backupstoragelocation_controller.go:105"
time="2020-09-29T11:38:00Z" level=error msg="Current backup storage locations available/unavailable/unknown: 0/1/0, Backup location \"default\" is unavailable: rpc error: code = Unknown desc = AccessDenied: Access Denied\n\tstatus code: 403, request id: E3B416F2C83195E1, host id: BWLKry8uptDp300YEgU8xCd51qu6BpFBi4QvrQ41QfqOTuGDpxa/SZjx0Wzwdzs6qk+638rqYxc=)" controller=backupstoragelocation logSource="pkg/controller/backupstoragelocation_controller.go:152"

And backup storage output:

➜  ~ k -n velero get backupstoragelocation default
NAME      PHASE         LAST VALIDATED   AGE
default   Unavailable   6s               20h

It would be nice to add support for it as this is a newer solution than kube2iam.

mihail-sky on 29 Sep 2020

👍2

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Restic Backup - HowTo

Berndinox · 3Comments

Is it possible to browse the content of velero restic backups?

Marki4711 · 3Comments

Velero pod not running in GCP-some backup storage locations are invalid

MeghanaSrinath · 4Comments

Velero phase is failed but taking backup.

doronmak · 3Comments

Specify Velero Backup Schedules as YAML

archmangler · 3Comments