I am trying to configure my Elasticsearch instance for access to a S3 bucket. I want to secure access via an AWS Role, which should be assumed automatically via kube2iam.
I am running into two problems:
-
For kube2iam to work, it is necessary to add an annotation to the Elasticsearch Pod. I tried via the "podTemplate", but this did not work. Is there any way to do this or do you plan to add support?
-
If I add the annotation for kube2iam manually to the Pod, I can exec into the container and verify that the AWS Role is assigned correctly. I can access to S3 bucket via aws cli. However when I try to create the repository, it fails with the following error message:
curl -H "Content-Type: application/json" -X PUT --user elastic:XXX -k https://localhost:8000/_snapshot/s3 --data '{"type":"s3", "settings": {"endpoint": "s3.eu-central-1.amazonaws.com", "bucket":"backup", "server_side_encryption": true}}'
{"error":{"root_cause":[{"type":"repository_verification_exception","reason":"[s3] path is not accessible on master node"}],"type":"repository_verification_exception","reason":"[s3] path is not accessible on master node","caused_by":{"type":"i_o_exception","reason":"Unable to upload object [tests-hOTEv96NS1yoA4mgpNgzxg/master.dat] using a single upload","caused_by":{"type":"amazon_s3_exception","reason":"Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: XXX; S3 Extended Request ID: XXX"}}},"status":500}