-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate path detection is incorrect when using AWS STS (eg with AWS EKS) #1129
Comments
We should set up our own AWS EKS cluster so we can test this properly. |
Plan for the development
|
I've been setting up a test AWS EKS cluster to help with this. I've put the deployment files here: https://github.com/poodlewars/scratch/tree/k8s-files .
On Amazon Linux, this works out of the box, as it has the RHEL style cert locations. With an Ubuntu image, this fails. Interesting it still fails on a Conda based install (mamba) even though we dynamically link openssl there? I've set up a cluster This was mostly following the fargate version of these notes, https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html then applying the configs above. |
Test passes with Conda installation in centos and ubuntu. Possible reason is:
|
At the moment, S3 SDK doesn't allow manually setting ca cert path for EKS, due to the corresponding settings is not being passed to it: https://github.com/aws/aws-sdk-cpp/blob/e9d0d247be909ade39f213a3e2915aa262755a78/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp#L110
|
We are going to dynamically linked
|
The plan was scrapped as the decision is irreversible and maintainence debt for the future new version of |
Describe the bug
The Azure we detect (using the openssl python lib) correct certificate locations, and use them in the Azure SDK.
For S3, we use the system default. But since we build on
manylinux
, and statically link libcurl and openssl, this means the "system default" we end up using is CentOS', which can lead to problems when running on other Linuxes.Example failing flow:
On S3, we should use the same certificate location detection logic that we have for Azure.
There is a private thread that Alex Seaton can add you to about this with more context, https://arcticdb.slack.com/archives/C064NA7BK5H/p1701703865582509 .
The text was updated successfully, but these errors were encountered: