Unable to get the aws credentials for the tasklist operate and optimize

Camunda 8 Topics
, , , ,
1

getting below error, we have configured the IRSA role(opensearch postgress db) for each service account still we are getting this error
:: Spring Boot :: (v3.4.7)

[2025-08-04 15:33:54.993] [background-preinit] INFO
org.hibernate.validator.internal.util.Version - HV000001: Hibernate Validator 8.0.2.Final
[2025-08-04 15:33:55.203] [main] INFO
io.camunda.operate.schema.migration.SchemaMigration - Starting SchemaMigration v8.7.7 using Java 21.0.7 with PID 1 (/usr/local/operate/lib/operate-schema-8.7.7.jar started by camunda in /usr/local/operate)
[2025-08-04 15:33:55.204] [main] INFO
io.camunda.operate.schema.migration.SchemaMigration - The following 1 profile is active: “identity-auth”
[2025-08-04 15:33:56.829] [main] INFO
io.camunda.operate.connect.OperateDateTimeFormatter - rfc3339ApiDateFormat is set to false, operate API will format datetimes in the existing format
[2025-08-04 15:33:56.841] [main] INFO
io.camunda.operate.connect.OpensearchConnector - AWS Credentials are disabled. Using basic auth.
[2025-08-04 15:33:57.673] [main] WARN
org.springframework.context.annotation.AnnotationConfigApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name ‘schemaMigration’: Unsatisfied dependency expressed through field ‘schemaStartup’: Error creating bean with name ‘schemaStartup’: Unsatisfied dependency expressed through field ‘schemaManager’: Error creating bean with name ‘schemaManager’ defined in URL [jar:file:/usr/local/operate/lib/operate-schema-8.7.7.jar!/io/camunda/operate/schema/opensearch/OpensearchSchemaManager.class]: Unsatisfied dependency expressed through constructor parameter 1: Error creating bean with name ‘io.camunda.operate.store.opensearch.client.sync.RichOpenSearchClient’ defined in URL [jar:file:/usr/local/operate/lib/operate-schema-8.7.7.jar!/io/camunda/operate/store/opensearch/client/sync/RichOpenSearchClient.class]: Unsatisfied dependency expressed through constructor parameter 1: Error creating bean with name ‘openSearchClient’ defined in class path resource [io/camunda/operate/connect/OpensearchConnector.class]: Failed to instantiate [org.opensearch.client.opensearch.OpenSearchClient]: Factory method ‘openSearchClient’ threw exception with message: Jackson exception: Unrecognized token ‘Unauthorized’: was expecting (JSON String, Number, Array, Object or token ‘null’, ‘true’ or ‘false’)
at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION disabled); line: 1, column: 13]
bms@JLJ4C9KH9T camunda-platform % kubectl logs camunda-platform-optimize-6858fc7dbd-c2slc -n camunda-platform -c migration

Starting Camunda Optimize Upgrade to 8.7.5…

15:38:12,445 |-INFO in ch.qos.logback.classic.LoggerContext[default] - This is logback-classic version 1.5.18
15:38:12,447 |-INFO in ch.qos.logback.classic.util.ContextInitializer@1a4927d6 - Here is a list of configurators discovered as a service, by rank:
15:38:12,448 |-INFO in ch.qos.logback.classic.util.ContextInitializer@1a4927d6 - org.springframework.boot.logging.logback.RootLogLevelConfigurator
15:38:12,448 |-INFO in ch.qos.logback.classic.util.ContextInitializer@1a4927d6 - They will be invoked in order until ExecutionStatus.DO_NOT_INVOKE_NEXT_IF_ANY is returned.
15:38:12,448 |-INFO in ch.qos.logback.classic.util.ContextInitializer@1a4927d6 - Constructed configurator of type class org.springframework.boot.logging.logback.RootLogLevelConfigurator
15:38:12,460 |-INFO in ch.qos.logback.classic.util.ContextInitializer@1a4927d6 - org.springframework.boot.logging.logback.RootLogLevelConfigurator.configure() call lasted 0 milliseconds. ExecutionStatus=INVOKE_NEXT_IF_ANY

image
image1920×1249 300 KB

2

Hi @shridhara_bm, thanks for tagging this on LinkedIn. It sounds like there might actually be two questions here:

  • how do you use AWS IRSA with deployments (OpenSearch, Postgres authentication, etc.)
  • does IDP support IRSA

For the first question, can you share your Helm values.yaml file (with secrets redacted, of course)? Also, have you reviewed the configuration and ran the test script?

For IDP, unfortunately the connector only supports access keys at this time. I’ve asked the team if they have anything on the roadmap to support this in the future and I’ll let you know what they say.

3

@shridhara_bm - I spoke with our engineering team, and this is not guaranteed, but they are currently planning to support IRSA for IDP in the 8.9 release. Again, this isn’t fully committed on the roadmap yet so it’s not a promise, but that is the current plan.

You can also add a suggestion to roadmap.camunda.com (there’s a button in the top right), and that will alert our product management team. The more information we have about what features are being requested, the better they can prioritize!