Description
Bug Overview
When running the container on EKS with and configuration it to use EKS Pod Identity, it uses the underlying node's identity and credentials instead of the credentials provided by EKS Pod Identity, resulting in access denied errors.
Expected Behavior
When I configure the pod to use EKS Pod Identity, I expect it to use the credentials provided by EKS Pod Identity, not the host's credentials.
Steps to Reproduce the Bug
Configure and deploy a pod on EKS according to the documentation, with EKS Pod Identity also deployed, and the correct permissions set up.
Environment Details
- Version of the S3 container used: DockerHub
- Version of NGINX Open Source or NGINX Plus: OSS
- Version of NGINX JavaScript: no idea
- Target deployment platforms: EKS
- S3 backend implementation: AWS
- Authentication method: EKS Pod Identity
Additional Context
After investigation, we found ou where the problem lies. The nginx.conf file lists the environment variables that are passed the the worker threads. Just by adding the AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variable to the list of environment variables passed to the worker threads, it works.
TL;DR: adding env AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE; to nginx.conf fixes the issue.