Error connecting to AWS services using web identity

Hey,

Having some issue with AWS connection. I am trying to assume a role using the provider chain and I receive an error from aws sdk when setting up lambda

I use retool-wf latest deployed with helm on EKS.
My service account is tagged with my EKS role and my retool service fails when trying to assume the role with web identity.

Here is the error stack

CredentialsProviderError: Role Arn '[MY_ROLE_ARN]' needs to be assumed with web identity, but no role assumption callback was provided.
    at /snapshot/retool_development/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-web-identity/dist-cjs/fromWebToken.js:8:15
    at resolveTokenFile (/snapshot/retool_development/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-web-identity/dist-cjs/fromTokenFile.js:27:7)
    at /snapshot/retool_development/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-web-identity/dist-cjs/fromTokenFile.js:11:12
    at /snapshot/retool_development/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/property-provider/dist-cjs/chain.js:11:28
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async coalesceProvider (/snapshot/retool_development/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/property-provider/dist-cjs/memoize.js:14:24)
    at async /snapshot/retool_development/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/property-provider/dist-cjs/memoize.js:33:24
    at async getAWSCredentials (/snapshot/retool_development/backend/transpiled/common/aws/awsIAMAuth.js)
    at async createLambdaClient (/snapshot/retool_development/backend/transpiled/dbconnector/connectors/lambda.bridge.js)
    at async Object.connect (/snapshot/retool_development/backend/transpiled/dbconnector/connectors/lambda.bridge.js)

Hey @fettay! Happy to help here.

  1. Would you mind sharing how you configured your service account?
  2. And could you also share the statement from the trust policy for that role that allows that service account to take the AssumeRoleWithWebIdentity action?
  3. Do you have this environment variable set to anything?
DBCONNECTOR_AWS_ROLE_ASSUMER_WITH_WEB_IDENTITY

Thanks @victoria just set the flag DBCONNECTOR_AWS_ROLE_ASSUMER_WITH_WEB_IDENTITY and it worked perfect !!

Woo-hoo!!! So happy to hear that, glad we were able to get this resolved :smile: please do let us know if you have any other questions.