I am trying to configure my Elasticsearch instance for access to a S3 bucket. I want to secure access via an AWS Role, which should be assumed automatically via kube2iam.
I am running into two problems:
For kube2iam to work, it is necessary to add an annotation to the Elasticsearch Pod. I tried via the "podTemplate", but this did not work. Is there any way to do this or do you plan to add support?
If I add the annotation for kube2iam manually to the Pod, I can exec into the container and verify that the AWS Role is assigned correctly. I can access to S3 bucket via aws cli. However when I try to create the repository, it fails with the following error message:
{"error":{"root_cause":[{"type":"repository_verification_exception","reason":"[s3] path is not accessible on master node"}],"type":"repository_verification_exception","reason":"[s3] path is not accessible on master node","caused_by":{"type":"i_o_exception","reason":"Unable to upload object [tests-hOTEv96NS1yoA4mgpNgzxg/master.dat] using a single upload","caused_by":{"type":"amazon_s3_exception","reason":"Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: XXX; S3 Extended Request ID: XXX"}}},"status":500}
Thanks for clarifying that the pod annotations work. I must have made a mistake in the podTemplate specification.
The second problem is not related to IAM policies. I can verify that the elasticsearch Pod has access to the S3 bucket via the EC2 instance profile by execing into the container and running aws CLI.
However when elasticsearch tries to access the bucket via the Snapshot API it fails with aforementioned error message.
I just wanted to make sure that it has all permissions, as having a subset may allow you to perform some operations in the CLI but not everything that the snapshot plugin requires. If everything looks like it's configured correctly it may be worth asking about that specifically in the Elasticsearch forums.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.