Object Store with IRSA not working

[max-ae]

I have applied the following configuration to my cluster in order to enable WAL archiving.
My Object storage is S3, CNPG is running in EKS, and I want to configure access via IRSA.

Cluster:

apiVersion: postgresql.cnpg.io/v1
kind: Cluster
spec:
  serviceAccountTemplate:
    metadata:
      annotations:
        eks.amazonaws.com/role-arn: arn:aws:iam::<redacted>
  plugins:
  - name: barman-cloud.cloudnative-pg.io
    isWALArchiver: true
    parameters:
      barmanObjectName: objectstore

ObjectStore:

apiVersion: barmancloud.cnpg.io/v1
kind: ObjectStore
metadata:
  name: objectstore
spec:
  configuration:
    data:
      compression: bzip2
    destinationPath: s3://<redacted>/<folder>
    wal:
      compression: bzip2
      maxParallel: 16

Policy attached to SA:

{
				Action: [
					"s3:PutObject",
					"s3:GetObject",
					"s3:ListBucket",
					"s3:DeleteObject",
				],
				Effect: "Allow",
				Resource: [
					"arn:aws:s3:::<redacted>",
					"arn:aws:s3:::<redacted>/*",
				],
			},

However, the WAL archiving is not working with the following error, complaining about missing Azure credentials even though my Object Storage is hosted by AWS.

{"level":"error","ts":"2025-08-13T17:06:02.383971021Z","logger":"wal-archive","msg":"Error while calling ArchiveWAL, failing","pluginName":"barman-cloud.cloudnative-pg.io","logging_pod":"metabase-database-3","error":"rpc error: code = Unknown desc = missing Azure credentials","stacktrace":"github.com/cloudnative-pg/machinery/pkg/log.(*logger).Error\n\tpkg/mod/github.com/cloudnative-pg/machinery@v0.3.0/pkg/log/log.go:125\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cnpi/plugin/client.(*data).ArchiveWAL\n\tinternal/cnpi/plugin/client/wal.go:69\ngithub.com/cloudnative-pg/cloudnative-pg/pkg/management/postgres/archiver.archiveWALViaPlugins\n\tpkg/management/postgres/archiver/archiver.go:295\ngithub.com/cloudnative-pg/cloudnative-pg/pkg/management/postgres/archiver.internalRun\n\tpkg/management/postgres/archiver/archiver.go:156\ngithub.com/cloudnative-pg/cloudnative-pg/pkg/management/postgres/archiver.Run\n\tpkg/management/postgres/archiver/archiver.go:141\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/walarchive.NewCmd.func1\n\tinternal/cmd/manager/walarchive/cmd.go:65\ngithub.com/spf13/cobra.(*Command).execute\n\tpkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1015\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tpkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1148\ngithub.com/spf13/cobra.(*Command).Execute\n\tpkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1071\nmain.main\n\tcmd/manager/main.go:71\nruntime.main\n\t/opt/hostedtoolcache/go/1.24.5/x64/src/runtime/proc.go:283"}

Versions:
CNPG 1.26.1
Barman Cloud Plugin 0.5.0

[dosubot]

Hi @max-ae! I'm Dosu and I’m helping the plugin-barman-cloud team.

The barman-cloud plugin selects the storage backend based on the destinationPath scheme in your ObjectStore configuration, so using s3://... should trigger S3 logic. The error about missing Azure credentials usually means the plugin is either misdetecting the backend or missing required S3 parameters, causing it to fall back to Azure checks.

Your IRSA annotation and IAM policy look correct, and the plugin officially supports IRSA for EKS clusters as long as the service account is annotated with eks.amazonaws.com/role-arn and the destination path is set to S3 docs.

Double-check these points:

• Make sure there are no typos or extra fields in your ObjectStore spec, especially in destinationPath.
• Ensure you are not accidentally including Azure-specific fields or credentials in your ObjectStore configuration.
• If you previously used access keys or Azure credentials, make sure all related secrets and environment variables are removed from the namespace and ObjectStore spec.

If everything looks correct and you still see the error, try explicitly specifying the S3 region in your ObjectStore configuration under data (e.g., region: us-east-1). Sometimes missing region info can cause backend misdetection.

If the issue persists, consider upgrading to the latest plugin version, as recent changes may have affected backend selection and credential validation logic PR #458.

Reference: Barman Cloud plugin object store docs

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.

[max-ae]

I solved this by adding inheritFromIAMRole to the object store. This is not mentioned in the docs for using IRSA

apiVersion: barmancloud.cnpg.io/v1
kind: ObjectStore
spec:
  configuration:
    s3Credentials:
      inheritFromIAMRole: true

[gbartolini]

@max-ae do you mind adding a PR to the documentation? Thanks!

[chrrlesWork]

I solved this by adding inheritFromIAMRole to the object store. This is not mentioned in the docs for using IRSA

apiVersion: barmancloud.cnpg.io/v1
kind: ObjectStore
spec:
  configuration:
    s3Credentials:
      inheritFromIAMRole: true

Thanks for the solution 💪

[GabriFedi97]

I think the issue here is at multiple levels:

1. The documentation doesn't properly inform about setting the s3Credentials.inheritFromIAMRole to true (I see this is addressed in docs: add IRSA instructions #478).
2. While the Cluster CRD was validated by a specific validating webhook checking whether at least one set of credentials are configured, the ObjectStore CRD doesn't seem to be validated via any Webhook.
3. The error logged by the plugin is quite misleading, since it informs about missing Azure credentials rather than saying that no credentials are actually defined.