Is IRSA supported for s3 blob stores ? #107
Comments
|
Yes, this is supported. The blob store integration will look for AWS credentials. In 'values.yaml' you can specify the serviceaccount (that has the required IAM roles attached) or specify the IAM role in the annotations. |
|
@dervos it will be great to share working example with specific nexus docker image version 🙏 cause in our case EKS IRSA is not working too with new version of nexus docker image (aws sdk version). |
|
I am using this chart. Both charts seem to allow you to specify a serviceaccount or annotate an existing serviceaccount. Image version: v3.35.0 (chart version) Policy statement (attached to IAM role using eksctl, attached to the serviceaccount used by nexus): {
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:DeleteObjectTagging",
"s3:DeleteBucket",
"s3:CreateBucket",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::<bucket>",
"arn:aws:s3:::<bucket>/*"
],
"Effect": "Allow"
}If I remember correctly, adding It does however feel very buggy, and the documentation did not offer much guidance on this subject. For example the |
|
Thanks @dervos . We are currently using the legacy community charts, looking to use those new official charts. Indeed I can see the Overall the project still lacks the documentation indeed. But I'm sure it'll come. Closing this issue then |
Hi team,
I was wondering if IRSA is a supported auth method for AWS S3 blob stores ? If not, do you have any plan of supporting it ?
Thank you!
The text was updated successfully, but these errors were encountered: