Unable to define a service account for replica set or SSE for s3 backups

Hi, I’m trying to use the percona mongodb operator to deploy a basic mongodb cluster that backs up to s3, I’m using EKS with IRSA.

In order to use s3 as a backend I need to be able to do 2 things:

  1. I need to be able to define a service account with an eks annotation on the replica set that runs the backup sidecar. This is to allow my pods to ccorrectly assume an IAM role and have write permissions to my s3 bucket. Currently the replicaset uses the ‘default’ service account which appears to be created by the operator and there isn’t any configuration available to override its settings or define a new SA. I’ve tried modifying the backup.serviceAccountName field but that does not appear to modify the replicaset.
  2. The percona mongodb backup agent supports SSE (server side encryption via KMS) but this does not appear to be available to the operator config under backup

Is there any way around these 2 problems?


Hello @sam55 ,

thanks for submitting the question.

  1. The way it works right now is the following:
  • You attach the policy to EKS when creating it
  • In the Operator CR you do not specify credentialsSecret, PBM will use EC2 metadata to authenticate requests to S3.

Please let me know if it still does not work.

  1. We don’t support it yet in the Operator. I have created the ticket for it: [K8SPSMDB-850] Add support for Server Side Encryption for backups - Percona JIRA, but do not have any ETA of when is it going to be shipped. Please let me know more about your use case and the level of prio here.

Were you able to implement service account iam role (irsa) for s3 backups?