issue when using barman plugin with AWS S3 IRSA

[josmo]

When moving from the native backup to the new plugin style, there's an issue with authentication to AWS.

I've followed the configuration of including the correct role in

  serviceAccountTemplate:
    metadata:
      annotations:
        eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxxxx:role/role

as well as the inheritFromIAMROle

spec:
  retentionPolicy: "30d"
  configuration:
    destinationPath: s3://mybucketxxxx/key1/key2/
    s3Credentials:
      inheritFromIAMRole: true
    wal:
      compression: bzip2

However we keep getting errors like the following in the plugin sidecar

WARNING: Refreshing temporary credentials failed during mandatory refresh period.
ERROR: Barman cloud WAL archive check exception: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account for https://oidc.eks.us-gov-west-1.amazonaws.com/id/xxxxxxxxxxxx

This works with the native backup with the same role, to the same bucket.

[dosubot]

Your IRSA setup and plugin config look correct, but the error means AWS can't find the OIDC provider for your EKS cluster. The barman plugin relies on the standard AWS SDK IRSA flow: it sets up the environment so the SDK uses AssumeRoleWithWebIdentity, just like the native backup, but it does not fetch credentials itself. This error almost always means the OIDC provider for your EKS cluster is missing or misconfigured in your AWS account—even if native backup works, the plugin may trigger a different code path or environment that exposes the missing provider.

Double-check in the AWS console (IAM > Identity providers) that the OIDC provider for your EKS cluster URL (e.g., https://oidc.eks.us-gov-west-1.amazonaws.com/id/xxxxxxxxxxxx) exists and is associated with the correct IAM role. If you recently recreated the cluster or changed regions/accounts, the provider may need to be re-added. Also, make sure there are no conflicting environment variables or webhook mutations in your cluster that could affect the plugin sidecar's AWS_* environment (this has caused issues for EKS users before) source.

If you see errors about missing Azure credentials, or if the plugin seems to misdetect the backend, ensure there are no Azure fields or secrets left in your ObjectStore spec or namespace, and try explicitly setting the S3 region in your ObjectStore config source.

The key troubleshooting steps are:

• Confirm the OIDC provider for your EKS cluster exists in AWS and is linked to the IAM role.
• Ensure inheritFromIAMRole: true is set under s3Credentials in your ObjectStore (which you have).
• Remove any old or conflicting cloud provider secrets/env vars from the namespace.
• Explicitly set the S3 region in your ObjectStore config if not already present.
• Check for any webhook or admission controller that might inject or override AWS_* env vars in the plugin sidecar.

If all of these are correct and the problem persists, try upgrading to the latest plugin version, as there have been recent fixes around backend selection and credential validation source.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[josmo]

This was completely on our side, someone accidently used the com arn for the role instead of the gov account role.

[jaredcdep]

I think a note on https://cloudnative-pg.io/plugin-barman-cloud/docs/object_stores/#iam-role-for-service-account-irsa about inheritFromIAMROle may be handy, as I missed that step

Edit: already in #478