Hi,

I am building a staging/test cluster on AWS EKS. It looks like Looker only uses AWS metadata service to get the token for instance profile to authenticate w/ AWS. I have setup a service account to run the pod, and the service account is bound to an IAM role with permissions to use the CMK.

The AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are set correctly and I can verify that by running “aws sts get-caller-identity” on the pod. However, when starting Looker,  it will error out saying the role that’s used for the node group does not have permission to get the CMK key. It would work if I added the permissions to the node group role. So it is clearly that Looker does not use provided Web Identity to auth.

Is there another variable or parameter to change the behavior?

Thanks