Hi, I'm using the official docker image: apache/flink:1.12.1-scala_2.11-java11
I'm trying to run a Flink job on an EKS cluster. The job is running under a k8s service account that is tied to an IAM role. If I'm not using s3 as RocksDB checkpoint backend, everything works just fine. However, when I enabled s3 as RocksDB checkpoint backend, I got permission denied. The IAM role tied to the service account has the appropriate permissions to s3. However the underlying role tied to the EKS node doesn't. After debugging with AWS support, it looks like the request to s3 was made under the EKS node role, not the role tied to the service account. Thus the permission denial. With the same Flink application, I'm also making requests to AWS Secrets Manager to get some sensitive information and those requests were made explicitly with AWS Java SDK 2.x bundled in the same application Jar file. Those requests were made correctly with the IAM role tied to the service account. Based on the info above, I suspect Flink may be using an older version of the AWS SDK that doesn't support assuming an IAM role via an IODC web identity token file. Please see AWS doc here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html Could someone help me confirm this bug and maybe have it fixed some time? Thanks. Thomas
