If you've setup AWS credential, as described in our docs here, but are still not seeing the refresh work properly, the best place to start is the workspace logs. Logs can be observed in the workspace page in the Domino UI or by accessing kubectl and running:
kubectl logs <podname> -n <namespace> -c <container-name>
Any attempts to refresh the credentials should show up there, whether they are successful or not. Here's an example:
2021-12-14T20:40:03.908Z: INFO:__main__:-- Refreshing access token -- 4
2021-12-14T20:40:04.719Z: -- refreshing AWS credentials Domino-credential-propagation-role
If you see an error such as:
2021-12-14T20:38:04.619Z: Error assuming role 2
2021-12-14T20:38:04.619Z: An error occurred (AccessDenied) when calling the AssumeRole
operation: User: arn:aws:sts::<userid>:
assumed-role/Domino-credential-propagation-role/<userid> is not authorized
to perform: sts:TagSession on resource: arn:aws:iam::<id>:role/
Domino-credential-propagation-role 3
it means the AWS role that is setup for credential propagation is missing some necessary privileges.
This specific error can be resolved by adding sts:TagSession under the role's permitted actions.
Here's an example of the AWS role with the sts:TagSession permission added:
Comments
0 comments
Please sign in to leave a comment.