You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened: Trying to build in the gov cloud region is was noticed that the BINARY_BUCKET_REGION is being used to assume the region of ecr when utilizing cached images.
According to the documentation the IAM policy to build the nodes should have the same region you are building the AMI in. reference
In the install-worker.sh this ends up passing the BINARY_BUCKET_REGION which defaults to the us-west-2 location. This allows to point to some other bucket in any region to pull the binaries which should be acceptable.
However it should not be assumed that the BINARY_BUCKET_REGION is the region to pull from ecr. It is also noticed the eks addons do not pass a region, so the assumption is this would query the region the AMI is being built for the addons which should probably match the ECR location to pull from.
What you expected to happen: I would expect when using the cached images it would query the region from the meta-data for the ecr-uri in order for the policy that states to use the same region for the AMI could succeed.
How to reproduce it (as minimally and precisely as possible): Build in a different region and use a policy that does not allow it to pull from us-west-2.
Environment:
AWS Region: us-gov-east-1
The text was updated successfully, but these errors were encountered:
What happened: Trying to build in the gov cloud region is was noticed that the BINARY_BUCKET_REGION is being used to assume the region of ecr when utilizing cached images.
According to the documentation the IAM policy to build the nodes should have the same region you are building the AMI in. reference
In the install-worker.sh this ends up passing the BINARY_BUCKET_REGION which defaults to the us-west-2 location. This allows to point to some other bucket in any region to pull the binaries which should be acceptable.
However it should not be assumed that the BINARY_BUCKET_REGION is the region to pull from ecr. It is also noticed the eks addons do not pass a region, so the assumption is this would query the region the AMI is being built for the addons which should probably match the ECR location to pull from.
What you expected to happen: I would expect when using the cached images it would query the region from the meta-data for the ecr-uri in order for the policy that states to use the same region for the AMI could succeed.
How to reproduce it (as minimally and precisely as possible): Build in a different region and use a policy that does not allow it to pull from us-west-2.
Environment:
The text was updated successfully, but these errors were encountered: