Skip to content

[BUG] datadog-agent pod cannot assume AWS IRSA credentials #29916

New issue
New issue
Open
#29784
Open
[BUG] datadog-agent pod cannot assume AWS IRSA credentials#29916
#29784

Description

@Greyeye

Greyeye
openedon Oct 8, 2024

Agent Environment

Agent (v7.56.1)
EKS version 1.30
Cloud env: AWS

datadog.yaml

  collect_ec2_tags: true
  collect_ec2_tags_use_imds: true
  ec2_prefer_imdsv2: true

Describe what happened:
we're attempting to minimize the instance profile permissions and remove ec2:describeTags from the instance role, and use IRSA role and permissions. we're currently running imdsv2 and v1 access is disabled. (no tag access via the metadata api at the moment)
everytime the agent starts up, it is always using the instance profile, even though the pod has IRSA assignment.

When checking the code, it is initializing with ec2.New() and failing to pick up the local credentials (one that is provided by IRSA), fix has been raised in the PR

Describe what you expected:
datadog-agent to initialise with the stored credentials from IRSA and use it accordingly.

Steps to reproduce the issue:
setup EKS environment with cluster node without IMDSv2, disable v1 access and set hop count to 2 (so pod can still access the metadata)
make sure the instance profile has enough permission to perform join cluster, etc but without ec2:describeTaggs
configure datadog-agent pod to use IRSA with the IAM role permission with ec2:describeTags as well as datadog.yaml config with

  collect_ec2_tags: true
  collect_ec2_tags_use_imds: true
  ec2_prefer_imdsv2: true

start the pod and you will see errors like

2024-10-08 03:34:13 UTC | CORE | WARN | (pkg/util/ec2/ec2_tags.go:104 in fetchEc2TagsFromAPI) | unable to get tags using default credentials (falling back to instance role): operation error EC2: DescribeTags, https response error StatusCode: 400, RequestID: 82d0e092-056f-43a6-a70b-976f6956532c, api error MissingParameter: The request must contain the parameter AWSAccessKeyId
2024-10-08 03:34:14 UTC | CORE | WARN | (pkg/util/ec2/ec2_tags.go:181 in GetTags) | unable to get tags from aws and cache is empty: operation error EC2: DescribeTags, https response error StatusCode: 403, RequestID: 147135df-8167-4b84-8ae0-ab0bf1947ebe, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::762127954425:assumed-role/dev-eks-worker-role/i-0f34b0a54b48e785d is not authorized to perform: ec2:DescribeTags because no identity-based policy allows the ec2:DescribeTags action

Additional environment details (Operating System, Cloud provider, etc):
Cloud Provider: AWS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    team/triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions