You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to be able to add an annotation to the service account that specifies the AWS_REGION/AWS_DEFAULT_REGION so that I can use the same OIDC provider while assuming roles using a web hook identity file across partitions.
It can however and probably should check the ARN and automatically set up the appropriate AWS_REGION/AWS_DEFAULT_REGION based upon the ARN partition identifier (so that there is a sane default, and the user can use the annotation to override it if necessary):
aws-us-gov: US govCloud AWS regions
aws: AWS Commercial regions
aws-cn: AWS China regions
In this case, defaulting to the primary region would be fine for me (us-gov-east-1, us-east-1, etc...) but with an override so that if you are using the role with resources in another region you can do so easily.
Why is this needed:
More specifically, I am deploying in govCloud, however govCloud still does not have public Route53 so when I want to update records in Route53 I need to use an AWS commercial account.
This works now, and I can use the OIDC provider setup, and a role in commercial and use the IRSA to inject the AWS_WEB_IDENTITY_TOKEN_FILE, however by default it injects:
# aws sts get-caller-identity
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account for https://oidc.eks.us-gov-west-1.amazonaws.com/id/0F1216F44E25B48EC173C6B7309C7B14
What would you like to be added:
I would like to be able to add an annotation to the service account that specifies the
AWS_REGION
/AWS_DEFAULT_REGION
so that I can use the same OIDC provider while assuming roles using a web hook identity file across partitions.It can however and probably should check the ARN and automatically set up the appropriate
AWS_REGION
/AWS_DEFAULT_REGION
based upon the ARN partition identifier (so that there is a sane default, and the user can use the annotation to override it if necessary):aws-us-gov
: US govCloud AWS regionsaws
: AWS Commercial regionsaws-cn
: AWS China regionsIn this case, defaulting to the primary region would be fine for me (
us-gov-east-1
,us-east-1
, etc...) but with an override so that if you are using the role with resources in another region you can do so easily.Why is this needed:
More specifically, I am deploying in govCloud, however govCloud still does not have public Route53 so when I want to update records in Route53 I need to use an AWS commercial account.
This works now, and I can use the OIDC provider setup, and a role in commercial and use the IRSA to inject the
AWS_WEB_IDENTITY_TOKEN_FILE
, however by default it injects:As well. This off course fails:
However as soon as I setup the right variables:
The text was updated successfully, but these errors were encountered: