AWS Role assigned to ServiceAccount is ignored when running in kubernetes/EKS

[zbikmarc]

import-map-deployer ignores role assigned to service account when running in k8s/EKS. As a result it is impossible to limit S3 access permissions just to particular pod with import-map-deployer running.

Looks like [email protected] locked in yarn.lock file has either bug or lack of functionality and it seems to ignore AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE provided by EKS integration with AWS IAM roles.

When I run your image with interactive shell and execute below commands in node REPL:

const aws = require('aws-sdk');
const sts = new aws.STS({region: "eu-west-1"});
sts.getCallerIdentity({}, function(error,data){console.log(data)});

I got EKS Worker node role in return

However when I run your base image (node:14-alpine) and install latest aws-sdk@2 (in my case it is 2.1274.0) it returns role assigned to service account. I double-checked this using same image (node:14-alpine) and explicitly installing [email protected] and behaviour is exactly same as in your image.

Possibly quickest fix is to update aws-sdk@2 version in yarn.lock to something more recent.