How to use kubernetes service account in golang?

Question content

Actually, I mainly use kubernetes service accounts with nodejs, which works fine, but I have one made with go service, but I can't seem to get it to work with the service account (I know the service account is configured correctly because I tested it with the pod).

I am using this library https://www.php.cn/link/2ce2b048fbba1c28933b3b167650dc3d

I have tried this so far:

  sess := session.must(session.newsession())

  creds := stscreds.newcredentials(sess, os.getenv("aws_role_arn"))

  svc := s3.new(sess, &aws.config{credentials: creds})

And this (just in case):

  region := os.getenv("amazon_region")
  sess := session.must(session.newsession(&aws.config{region: &region}))

  svc := s3.new(sess)

For the first case I get the following error:

AccessDenied: User: arn:aws:sts::xxxxxxxx:assumed-role/staging-worker-node/i-0xxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxx:role/EKSServiceAccount-app

For the second case, I got a general permissions error.

I read the documentation and tried a few more things (which may not be relevant here) but I can't see getting it to work, maybe because I don't have much experience with golang.

Correct Answer

Here are a few ways you can try to get your Go service to work with a service account on Kubernetes:

Verify that your Go service is correctly configured to use the Kubernetes service account. This can be done by checking that the service account is correctly mounted as a volume in the Pod definition and that the service is able to read the credentials from the volume.

Make sure that the AWS SDK for Go (https://github.com /aws/aws-sdk-go) you are using is configured to use the correct credentials. The SDK supports multiple methods of providing credentials, including environment variables, shared credentials files, and IAM roles.

You can try to use k8s.io/client-go library instead of AWS SDK for Go, which will help you to authenticate with Kubernetes API using Kubernetes service account and get AWS Credentials required for the development kit.

If you use a Kubernetes service account to authenticate to an external service such as AWS, you may also need to configure an IAM role to allow the service account to access the necessary resources.

Double check that your Go service is correctly using the Kubernetes service account token and passing it as an authentication token to the AWS SDK.

You can also try using the k8s.io/client-go library to get the secret and use it in your go code.

The above is the detailed content of How to use kubernetes service account in golang?. For more information, please follow other related articles on the PHP Chinese website!