You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe what happened:
we're attempting to minimize the instance profile permissions and remove ec2:describeTags from the instance role, and use IRSA role and permissions. we're currently running imdsv2 and v1 access is disabled. (no tag access via the metadata api at the moment)
everytime the agent starts up, it is always using the instance profile, even though the pod has IRSA assignment.
When checking the code, it is initializing with ec2.New() and failing to pick up the local credentials (one that is provided by IRSA), fix has been raised in the PR
Describe what you expected:
datadog-agent to initialise with the stored credentials from IRSA and use it accordingly.
Steps to reproduce the issue:
setup EKS environment with cluster node without IMDSv2, disable v1 access and set hop count to 2 (so pod can still access the metadata)
make sure the instance profile has enough permission to perform join cluster, etc but without ec2:describeTaggs
configure datadog-agent pod to use IRSA with the IAM role permission with ec2:describeTags as well as datadog.yaml config with
2024-10-08 03:34:13 UTC | CORE | WARN | (pkg/util/ec2/ec2_tags.go:104 in fetchEc2TagsFromAPI) | unable to get tags using default credentials (falling back to instance role): operation error EC2: DescribeTags, https response error StatusCode: 400, RequestID: 82d0e092-056f-43a6-a70b-976f6956532c, api error MissingParameter: The request must contain the parameter AWSAccessKeyId
2024-10-08 03:34:14 UTC | CORE | WARN | (pkg/util/ec2/ec2_tags.go:181 in GetTags) | unable to get tags from aws and cache is empty: operation error EC2: DescribeTags, https response error StatusCode: 403, RequestID: 147135df-8167-4b84-8ae0-ab0bf1947ebe, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::762127954425:assumed-role/dev-eks-worker-role/i-0f34b0a54b48e785d is not authorized to perform: ec2:DescribeTags because no identity-based policy allows the ec2:DescribeTags action
Agent Environment
Agent (v7.56.1)
EKS version 1.30
Cloud env: AWS
datadog.yaml
Describe what happened:
we're attempting to minimize the instance profile permissions and remove ec2:describeTags from the instance role, and use IRSA role and permissions. we're currently running imdsv2 and v1 access is disabled. (no tag access via the metadata api at the moment)
everytime the agent starts up, it is always using the instance profile, even though the pod has IRSA assignment.
When checking the code, it is initializing with ec2.New() and failing to pick up the local credentials (one that is provided by IRSA), fix has been raised in the PR
Describe what you expected:
datadog-agent to initialise with the stored credentials from IRSA and use it accordingly.
Steps to reproduce the issue:
setup EKS environment with cluster node without IMDSv2, disable v1 access and set hop count to 2 (so pod can still access the metadata)
make sure the instance profile has enough permission to perform join cluster, etc but without ec2:describeTaggs
configure datadog-agent pod to use IRSA with the IAM role permission with ec2:describeTags as well as datadog.yaml config with
start the pod and you will see errors like
Additional environment details (Operating System, Cloud provider, etc):
Cloud Provider: AWS
The text was updated successfully, but these errors were encountered: