Peer server won't use AWS WebIdentity credential provider

jonathan · July 30, 2020, 10:38pm

Hi.

We are running Datomic peer server in an AWS EKS cluster. We use Kubernetes service accounts combined with EKS-issued OIDC tokens/Assumable IAM roles to grant access to AWS resources such as DynamoDB and S3.

Unfortunately, even the newest release of datomic-pro is packaged with an outdated version of the AWS Java SDK (1.11.600). Unlike versions after 1.11.704, it does not prioritize WebIdentity over instance profile credentials in the provider chain. This means that even though our peer server service account has the correct IAM roles available, peer server is using the instance role instead. More info can be found in this aws-sdk-java issue.

I’ve solved this by switching out the AWS SDK files in the datomic_pro lib/ directory for newer versions in my container:

RUN rm lib/aws-java-sdk-*.jar
ADD https://repo1.maven.org/maven2/com/amazonaws/aws-java-sdk/1.11.704/aws-java-sdk-1.11.704.jar lib/
ADD https://repo1.maven.org/maven2/com/amazonaws/aws-java-sdk-core/1.11.704/aws-java-sdk-core-1.11.704.jar lib/
ADD https://repo1.maven.org/maven2/com/amazonaws/aws-java-sdk-dynamodb/1.11.704/aws-java-sdk-dynamodb-1.11.704.jar lib/
ADD https://repo1.maven.org/maven2/com/amazonaws/aws-java-sdk-sts/1.11.704/aws-java-sdk-sts-1.11.704.jar lib/

However, it’s not a great long term solution. I’m posting this just in case others encounter the same problem. I’m also hoping that someone on the datomic team can tell me if/when the aws sdk will be updated in the datomic-pro release.

marshall · July 31, 2020, 6:04pm

Hi Jonathan,

We’re working on an update to the AWS SDK dependency for an upcoming release.

-Marshall

husayn · December 5, 2020, 6:29pm

Hello @jonathan ,

I am running datomic on EKS too, and it has been running just fine, but now I want to backup to s3, so I started thinking of using service account and wanted to find out if datomic supports it and stumbled on your post. Thanks. I am on the latest datomic (1.0.6222) and it is still on the 1.11.600 aws sdk.
My question is any reason why you removed about 180 jars and replaced it only with 4 ? Have you not had any issues because of the missing 176 ? So would I just have to add aws-java-sdk-s3 to your list, since I am trying to backup to s3 ?

Topic		Replies	Views
DynamoDB, `datomic:ddb//` connect URI, and AWS STS roles - can we provide the token for a keypair? Datomic Pro	1	953	May 23, 2018
Are there plans to make the datomic-cli work with AWS SSO? Datomic Cloud	3	841	October 6, 2022
Setting up Datomic Cloud in an existing VPC Datomic Cloud	2	836	May 20, 2019
ClassNotFoundException com.amazonaws.services.dynamodbv2.model.SSESpecification with Datomic Pro 1.0.6165 and the currently recommended [com.amazonaws/aws-java-sdk-dynamodb "1.11.82"] Troubleshooting	1	1406	June 8, 2020
How to pass ensure-transactor fn an aws role Datomic Pro	1	381	October 18, 2022

Peer server won't use AWS WebIdentity credential provider

Related topics