Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] datadog-agent pod cannot assume AWS IRSA credentials #29916

Open
Greyeye opened this issue Oct 8, 2024 · 0 comments · May be fixed by #29784
Open

[BUG] datadog-agent pod cannot assume AWS IRSA credentials #29916

Greyeye opened this issue Oct 8, 2024 · 0 comments · May be fixed by #29784

Comments

@Greyeye
Copy link

Greyeye commented Oct 8, 2024

Agent Environment

Agent (v7.56.1)
EKS version 1.30
Cloud env: AWS

datadog.yaml

  collect_ec2_tags: true
  collect_ec2_tags_use_imds: true
  ec2_prefer_imdsv2: true

Describe what happened:
we're attempting to minimize the instance profile permissions and remove ec2:describeTags from the instance role, and use IRSA role and permissions. we're currently running imdsv2 and v1 access is disabled. (no tag access via the metadata api at the moment)
everytime the agent starts up, it is always using the instance profile, even though the pod has IRSA assignment.

When checking the code, it is initializing with ec2.New() and failing to pick up the local credentials (one that is provided by IRSA), fix has been raised in the PR

Describe what you expected:
datadog-agent to initialise with the stored credentials from IRSA and use it accordingly.

Steps to reproduce the issue:
setup EKS environment with cluster node without IMDSv2, disable v1 access and set hop count to 2 (so pod can still access the metadata)
make sure the instance profile has enough permission to perform join cluster, etc but without ec2:describeTaggs
configure datadog-agent pod to use IRSA with the IAM role permission with ec2:describeTags as well as datadog.yaml config with

  collect_ec2_tags: true
  collect_ec2_tags_use_imds: true
  ec2_prefer_imdsv2: true

start the pod and you will see errors like

2024-10-08 03:34:13 UTC | CORE | WARN | (pkg/util/ec2/ec2_tags.go:104 in fetchEc2TagsFromAPI) | unable to get tags using default credentials (falling back to instance role): operation error EC2: DescribeTags, https response error StatusCode: 400, RequestID: 82d0e092-056f-43a6-a70b-976f6956532c, api error MissingParameter: The request must contain the parameter AWSAccessKeyId
2024-10-08 03:34:14 UTC | CORE | WARN | (pkg/util/ec2/ec2_tags.go:181 in GetTags) | unable to get tags from aws and cache is empty: operation error EC2: DescribeTags, https response error StatusCode: 403, RequestID: 147135df-8167-4b84-8ae0-ab0bf1947ebe, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::762127954425:assumed-role/dev-eks-worker-role/i-0f34b0a54b48e785d is not authorized to perform: ec2:DescribeTags because no identity-based policy allows the ec2:DescribeTags action

Additional environment details (Operating System, Cloud provider, etc):
Cloud Provider: AWS

@Greyeye Greyeye linked a pull request Oct 8, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant