Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AWS SQS Queue]: AccessDenied, cannot access sqs to get queue information #4764

Closed
xyfleet opened this issue Jul 2, 2023 · 1 comment
Closed

[AWS SQS Queue]: AccessDenied, cannot access sqs to get queue information #4764

xyfleet opened this issue Jul 2, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@xyfleet
Copy link

xyfleet commented Jul 2, 2023

Report

My KEDA cannot get SQS queue metrics, the AWS SQS Queue scaler cannot work as expected.

I installed the KEDA through helm chart and created an IAM role with AssumeRoleWithWebIdentity, so the service account, keda-operator can assume this IAM role. This role has AmazonSQSFullAccess policy attached.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::1234567890:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/353Axxxxxxxxxxx"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-east-1.amazonaws.com/id/353Axxxxxxxxxxx:sub": "system:serviceaccount:keda:keda-operator"
                }
            }
        }
    ]
}

__

Expected Behavior

I expected the KEDA can get sqs queue information and auto scaling when necessary.

Actual Behavior

1: the keda did not work since it cannot get metrics from aws sqs queue.

Steps to Reproduce the Problem

1: install keda
2: create an IAM role with AssumeRoleWithWebIdentity
3: attach a AmazonSQSFullAccess policy to the role
4: follow this https://keda.sh/docs/2.0/scalers/aws-sqs/ to finish the autoscaling deployment for one queue

Logs from KEDA operator


2023-07-02T22:52:51Z  ERROR scalehandler  error getting metric for scaler {"scaledObject.Namespace": "default", "scaledObject.Name": "my-test-scaler", "scaler": "awsSqsQueueScaler", "error": "AccessDenied: User: arn:aws:sts::1234567890:assumed-role/my-keda-sqs/1688338371744324202 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234567890:role/my-keda-sqs\n\tstatus code: 403, request id: d017aff5-0d9e-47b6-9e8a-690b4a70ba09"}

KEDA Version

2.9.1

Kubernetes Version

1.24

Platform

Amazon Web Services

Scaler Details

AWS SQS Queue

Anything else?

No response
@xyfleet xyfleet added the bug Something isn't working label Jul 2, 2023
@JorTurFer
Copy link
Member

I think this will be solved with: #4134
We have discussed this here: https://kubernetes.slack.com/archives/CKZJ36A5D/p1688329407964729

@xyfleet xyfleet closed this as completed Jul 3, 2023
@JorTurFer JorTurFer closed this as not planned Won't fix, can't repro, duplicate, stale Jul 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Roadmap - KEDA Core
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JorTurFer @xyfleet