The corporate standard at our organization for products running inside AWS EKS is to use IAM Roles for Service Accounts (IRSA) to provide credentials for authentication to AWS services such as S3. We are deploying OpenSearch 1.2.4 with the repository-s3 with an IRSA configuration. However, we receive a 403 access denied error from S3 when we try to register the repository. I’ve looked through the repository-s3 code, looked through the documentation, searched the Github issues and the topic here and I can’t find any mention of using IRSA. Is this configuration supported in 1.2.4? If not, is it in 1.3.1, and if not there is it on the roadmap for implementation?
aws sdk used by plugin might be picking up the right credentials automatically, maybe the s3 bucket policy needs to be updated to allow that new iam role to perform the action or there might be a issue with encryption property or kms key involved. i have faced similar issues and when bucket policy and encryption settings are setup correctly then it just worked. s3 responds with 403 for wide variety of reasons.
Thanks for the reply and suggestion. I would say it is possible the policy is the problem, however what I failed to mention is that this same policy worked just fine with Kube2IAM. We’re porting away from Kube2IAM and into using IRSA, so I’m pretty sure the policy is correct.