Hardcoded disabled "automountServiceAccountToken" breaks IAM based S3 authentication
Summary
Using IAM based S3 authentication as described at https://docs.gitlab.com/charts/advanced/external-object-storage/aws-iam-roles.html fails, as this depends on mounting the service account token, which has been disabled in !2093 (merged)
Manually re-enabling auto-mount on the deployments works as expected.
Steps to reproduce
Setting up IAM based authentication
Configuration used
global:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXXXXXX:role/role-name
create: true
enabled: true
name: role-nameCurrent behavior
403 Forbidden error when trying to upload files to S3 from within GitLab
Expected behavior
Successful authentication when uploading files
Versions
- Chart: 5.8.2
- Platform:
- Cloud: EKS
- Kubernetes: (
kubectl version)- Client: v1.23.4
- Server: v1.21.5-eks-bc4871b
- Helm: (
helm version)- Client: v3.8.1
Relevant logs
"exception.message": "Expected(200) <=> Actual(403 Forbidden)\nexcon.error.response\n :body => \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>3FBDK0GM0VZHM6NQ</RequestId><HostId>qCS5/rsCKwHxfU02hdWX+nF4Jo1OUpG16ldpZBgqlm2Xe4eHGEgT0yEAMeO+VLsYnvj1tZr7nrw=</HostId></Error>\"\n :cookies => [\n ]\n :headers => {\n \"Content-Type\" => \"application/xml\"\n \"Date\" => \"Fri, 18 Mar 2022 15:49:52 GMT\"\n \"Server\" => \"AmazonS3\"\n \"x-amz-id-2\" => \"qCS5/rsCKwHxfU02hdWX+nF4Jo1OUpG16ldpZBgqlm2Xe4eHGEgT0yEAMeO+VLsYnvj1tZr7nrw=\"\n \"x-amz-request-id\" => \"3FBDK0GM0VZHM6NQ\"\n }\n :host => \"bucketname.s3.eu-central-1.amazonaws.com\"\n :local_address => \"10.208.27.219\"\n :local_port => 38132\n :path => \"/tmp/uploads/1647618593-30-0008-3641-266a20299c75237365e82ead8e732574\"\n :port => 443\n :reason_phrase => \"Forbidden\"\n :remote_ip => \"52.219.75.200\"\n :status => 403\n :status_line => \"HTTP/1.1 403 Forbidden\\r\\n\"\n",