I have tried setting up any kind of AWS provider with authentication of EKSPodIdentity with no luck, can't find any documentation expect this and it doesnt seem to work
I have set up EKSPodIdentity following AWS documentation, added OIDC provider and everything looks to be configured properly, but I still get this error:
crossplane annot get credentials: no extraction handler registered for source: PodIdentity
I have found the issue, the serviceaccounttemplate parameter was wrong, plus, you have to set up the crossplane's service account appropriately, apperently, EKS requires a specific annotation for the service account, according to this documentation , which in my case had to be added via the crossplane helm & terraform since thats how I installed it, like this:
resource "helm_release" "crossplane" {
name = "crossplane"
repository = "https://charts.crossplane.io/stable"
namespace = var.crossplane_config.namespace
create_namespace = true
chart = "crossplane"
version = "1.19.1"
timeout = "300"
values = [<<EOF
serviceAccount:
name: "${var.crossplane_config.service_account_name}"
customAnnotations:
"eks.amazonaws.com/role-arn": "${aws_iam_role.crossplane_oidc_role.arn}"
EOF
]
}
Additionally, notice the service account name specification, I've made sure it matches the DeploymentRuntimeConfig Crossplane resource:
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: podidentity-drc
spec:
serviceAccountTemplate:
metadata:
name: crossplane
---
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: default
spec:
serviceAccountTemplate:
metadata:
name: crossplane
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws
spec:
package: xpkg.upbound.io/upbound/provider-aws-s3:v1
runtimeConfigRef:
name: podidentity-drc