fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! General improvements

2026-06-09 23:19:15 +00:00 · 2025-01-10 14:11:41 +00:00
parent 31bec1955b
commit d73e9067ba
3 changed files with 18 additions and 8 deletions
@@ -10,9 +10,9 @@ description: |

 type: application

-version: 0.2.36
+version: 0.2.38

-appVersion: "0.2.36"
+appVersion: "0.2.38"

 home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator

@@ -12,7 +12,7 @@ sa:
        - ALL
    image:
      repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator
-      tag: 0.2.36
+      tag: 0.2.38
    resources:
      limits:
        cpu: 500m
@@ -63,14 +63,24 @@ def get_s3_client(use_role=False, role_name=None, use_current_role=False, aws_ac
        # Use the current role (e.g., from Kubernetes service account)
        logger.info("Using current role from environment")
        try:
-            client = boto3.client('s3', **client_kwargs)
-            # Try to get caller identity to verify credentials
-            sts = boto3.client('sts')
-            identity = sts.get_caller_identity()
-            logger.info(f"Successfully authenticated using current role: {identity['Arn']}")
+            # Don't create an STS client or try to assume role, just use the web identity credentials directly
+            session = boto3.Session()
+            client = session.client('s3', **client_kwargs)
+            
+            # Log the identity for debugging but don't create a separate STS client
+            creds = session.get_credentials()
+            if creds:
+                logger.info("Successfully obtained credentials from environment")
+                # Try to get the role ARN from environment for logging
+                role_arn = os.environ.get('AWS_ROLE_ARN')
+                if role_arn:
+                    logger.info(f"Using role: {role_arn}")
            return client
        except Exception as e:
            logger.error(f"Failed to use current role: {str(e)}")
+            logger.error("Environment variables:")
+            for env_var in ['AWS_WEB_IDENTITY_TOKEN_FILE', 'AWS_ROLE_ARN', 'AWS_ROLE_SESSION_NAME']:
+                logger.error(f"- {env_var}: {os.environ.get(env_var, 'not set')}")
            raise
    else:
        # Use default credentials (environment, instance profile, or pod service account)