I am currently following the guide published here on how to connect okteto to S3 using an IAM Role. I’ve hooked up several service accounts to IAM roles in other projects, but this one seems to be failing. I’m getting a continual restart with no clear error message, and the troubleshooting docs suggest this is because it cannot connect to s3.
We cannot use IAM Users in our org, so IAM roles are our only option. Whilst the policy I have created is identical to the recomended one, it differs in one respect, which is I’ve included an extra statement to allow for the decryption using our KMS key. All our S3 buckets are required to have Server Side KMS encryption as per another organisation security policy. I suspect this is why okteto is unable to connect to it. The IAM policy should be correct and I’ve done similar with other apps, so I’d appreciate if someone could confirm that this is supported and help me to debug what might be going wrong with our setup.
The extra statement in the IAM policy looks like the following. The rest of it is identical to the recomended.
@cheer.b95 IAM Roles are not supported yet by the docker registry, they had a regression there and there is an open PR to fix it. In the meantime, you might use IAM users, or use a single registry replica and file system storage for now.