I have kubernetes setup with STS and it works fine with sdk for sqs, sns etc. I need to use STS auth with fog-aws gem to download/list files and I can do it with ruby aws-sdk-s3 but I use carrierwave gem so I am trying to figure it out using fog-aws.
Using sdk - Works
s3 = Aws::S3::Client.new
resp = s3.list_objects(bucket:'sts-s3-test')
<Lists objects successfully>
Using fog-aws - Fails
s3 = Fog::Storage.new(provider: 'AWS', region: 'us-west-2',use_iam_profile: true)
directory = s3.directories.get('sts-s3-test')
Excon::Error::Forbidden (Expected(200) <=> Actual(403 Forbidden))
<Error><Code>AccessDenied</Code>
Appreciate any pointers, thanks.
EDIT:
STS is configured by our DevOps in kuberenets using service account https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/. I am not aware of internals and how it works but with this setup new aws sdk can read account details and assumes role automatically, there is no need of explicitly calling assume role functionality. This we can see from my first example for listing s3 objects where I do not pass any credentials. Link to aws sdk new version which uses service-account from pods. https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
I have tried approach on getting temporary access key & secret and pass it to storage class but that also doesn't work. Our DevOps guy says all access with key & secret are disabled and only way to use it is using assume_role_with_web_identity
I also found gist which I think solves the issue I am having, I am yet to give it a try. Link for ref https://gist.github.com/peterwells/39a5c31d934fa8eb0f2c