CODEWITHSUNDEEP
apache-kafkaamazon-iamapache-kafka-connectamazon-eksstrimzi
Gurpreet Singh Sran
Gurpreet Singh Sran

Reputation: 31

Accessing S3 Bucket from Strimzi KafkaConnect in AWS EKS

I am trying to access an S3 bucket from Strimzi KafkaConnect in AWS EKS. i have aatched it with Strimzi Service account but it is trowwing execption Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID:

Below is the policy I have created:

{
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::MY-Bucket/*",
                "arn:aws:s3:::MY-Bucket"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Trust Relationship in Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<my-aws-account>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<my-aws-account>:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/<ID>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-west-2.amazonaws.com/id/<id>:sub": "system:serviceaccount:<namespace>:<KafkaConnect name>-connect",
                    "oidc.eks.us-west-2.amazonaws.com/id/<id>:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Adding to Kafka Connect:

spec:
  template:
    serviceAccount:
      metadata:
        annotations:
          eks.amazonaws.com/role-arn: arn:aws:iam::<my-aws-account>:role/<My role name>

The service account is created with the name <KafkaConnect name>-connect, and the annotation and IAM role are attached to it. However, when I try to access the S3 bucket, it fails with the error:

Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID:

It seems to be trying to fetch S3 with the help of the node-level service role, which is assigned for other purposes instead of my service role.

Can you please help me figure out what I am doing wrong?

Upvotes: 1

Views: 38

Answers (0)

Related Questions