似乎我们无法让 Snowplow 容器(snowplow/scala-stream-collector-kinesis)使用我们提供的服务帐户。它始终使用shared-eks-node-role
但不使用提供的服务帐户。配置都设置default
为.accessKey
secretKey
这是我们使用的服务帐户部分:
apiVersion: v1
kind: ServiceAccount
metadata:
name: thijs-service-account
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123:role/thijs-eks-service-account-role-snowplow
当我检查 pod 时,我可以看到该帐户:
AWS_ROLE_ARN: arn:aws:iam::123:role/thijs-eks-service-account-role-snowplow
然后错误显示不正确的帐户。
Exception in thread "main" com.amazonaws.services.kinesis.model.AmazonKinesisException: User: arn:aws:sts::123:assumed-role/shared-eks-node-role/i-123 is not authorized to perform: kinesis:DescribeStream on resource: arn:aws:kinesis:eu-west-1:123:stream/snowplow-good (Service: AmazonKinesis; Status Code: 400; Error Code: AccessDeniedException; Request ID: 123-123-123; Proxy: null)