Issue with deploying through Helm on AWS EKS due to AWS credentials error

Summary

The user is facing an issue deploying through Helm on AWS EKS due to AWS credentials error. The error message indicates a problem with loading AWS credentials from various providers.


Question

Hi Team,
I’m encountering an issue when deploying through Helm on AWS EKS. The error I receive is:

[EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), 
SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), 
WebIdentityTokenCredentialsProvider: You must specify a value for roleArn and roleSessionName, 
com.amazonaws.auth.profile.ProfileCredentialsProvider@7a6aa30b: profile file cannot be null, 
com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@423612fa: Unauthorized (Service: null; Status Code: 401; Error Code: null; Request ID: null; Proxy: null)]```
Here is the relevant section of my `values.yaml`:
```global: 
  serviceAccountName: "dev-sa"
  storage:
    type: s3
    bucket:
      log: dev-s3
      state: dev-s3
      workloadOutput: dev-s3  
    s3:
      region: us-east-2
      authenticationType: "instanceProfile"```
*App Version: 0.63.6*
*EKS Version: 1.30*
Any help or advice on resolving this issue would be greatly appreciated!

<br>

---

This topic has been created from a Slack thread to give it more visibility.
It will be on Read-Only mode here. [Click here](https://airbytehq.slack.com/archives/C021JANJ6TY/p1725896626586719) if you want 
to access the original thread.

[Join the conversation on Slack](https://slack.airbyte.com)

<sub>
["helm", "aws-eks", "aws-credentials", "values.yaml", "s3", "authentication-type"]
</sub>

Thanks <@U03FNJGED7D>. It’s working.

instanceProfile for auth just means default AWS SDK provider chain (it’s a terrible name) - how are you intending to auth? node role would work by default, but it obviously less secure. if you want to use IRSA (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html), then you need to add the appropriate role annotation to the airbyte service account:

  annotations:
    <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: ${role_arn}```

Hi <@U03FNJGED7D>
Am using ServiceAccount to access S3. I have already attached IAM Role to the SA.
Still am getting error

did you attach with the helm chart or some other way? if another way, have you restarted the pods since you made the attachment?

No. I created SA separately. Then i use the SA to Airbyte helm chart.

you’re passing it in the serviceAccount section of your values.yaml?

Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: Unable to find a region via the region provider chain.
This error am getting. <@U03FNJGED7D>

i’d focus on Unable to find a region via the region provider chain . Is AWS_DEFAULT_REGION set in your pods? I’d expect that to be automatically set by EKS

In the worker and server, i added that env

Did i miss anything <@U03FNJGED7D>

it sounds like you’ve set this up slightly differently than I did, so I don’t have any additional insight here (I’m just another user!)

Could you kindly provide your values.yaml. If possible. So that i can verify it.

I provided the entire serviceAccount section already, which is the relevant segment here.

ok let me try with Creating SA at the time of Airbyte creation (Helm install)