Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Known Issue: STS GetCallerIdentity failing because of a region not specified bug #57

Closed
solonish opened this issue Sep 22, 2021 · 7 comments
Closed

Known Issue: STS GetCallerIdentity failing because of a region not specified bug #57

solonish opened this issue Sep 22, 2021 · 7 comments
Labels
announcement Announce Code releases, Known Issues

Comments

@solonish
Copy link
Contributor

There is currently a known issue with the plugin that is preventing certificate issuance due to STS GetCallerIdentity failing because of a region not specified bug, regardless of whether a region was specified or not (#54). There is an existing pull request to fix this (#53), but we are holding off on accepting any pull requests until our testing is redesigned. To fix this issue until then, please checkout the cleanup branch by running

git fetch -a
git checkout cleanup

Also, please be sure you are using the plugin with an IAM user, as that is the most reliable workflow https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
This user must have minimum permissions listed here: https://github.com/cert-manager/aws-privateca-issuer#configuration

export AWS_SECRET_ACCESS_KEY=<Secret Access Key you generated>
export AWS_ACCESS_KEY_ID=<Access Key you generated>
@solonish solonish pinned this issue Oct 6, 2021
@solonish solonish added the announcement Announce Code releases, Known Issues label Oct 6, 2021
@bsharma-tavisca
Copy link

By when can we expect a new release?

@solonish
Copy link
Contributor Author

solonish commented Oct 8, 2021

By when can we expect a new release?

The CI/CD and testing modifications are going through their final security review, after which we will cut a new release. Thank you for your patience

@bradyburke
Copy link

@solonish Any update on this? Can't seem to run Issuer or ClusterIssuer on EKS with access keys and secreet keys in a Kubernetes secret

@varunvallabhan52
Copy link

varunvallabhan52 commented Oct 27, 2021
edited
Loading

@bradyburke Thank you for raising this issue with the AWS Private CA Issue plugin. We have reviewed your submission, but been unable to replicate the issue you raised. Would it be possible for you to share steps to reproduce the error and your logs. We would appreciate your continuing input to repeat and then resolve this issue.

@bradyburke
Copy link

bradyburke commented Oct 27, 2021
edited
Loading

@varunvallabhan52
Running an EKS cluster with Kubernetes version 1.20. Applied a secret using helm:

apiVersion: v1
metadata:
  name: amc-pca-creds
  namespace: cert-manager
data:
  AWS_ACCESS_KEY_ID: "{{ .Values.accessKey }}"
  AWS_SECRET_ACCESS_KEY: "{{ .Values.secretKey }}"

Then applied the ClusterIssuer

apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAClusterIssuer
metadata:
  name: internal
spec:
  arn: {{ .Values.awsPca.arn }}
  region: "us-east-2"
  secretRef:
    namespace: cert-manager
    name: amc-pca-creds

Pod logs:

{"level":"error","ts":1635351796.0990462,"logger":"controller-runtime.manager.controller.awspcaclusterissuer","msg":"Reconciler error","reconciler group":"awspca.cert-manager.io","reconciler kind":"AWSPCAClusterIssuer","name":"starburstinternal","namespace":"","error":"operation error STS: GetCallerIdentity, failed to resolve service endpoint, an AWS region is required, but was not found","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/zapr@v0.2.0/zapr.go:132\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.3/pkg/internal/controller/controller.go:302\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.3/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.3/pkg/internal/controller/controller.go:216\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.UntilWithContext\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:99"}

Edit: Workaround was to run a kube set command for the deployment post helm chart install and pre ClusterIssuer creation: kubectl set env deployment/awspca-aws-privateca-issuer AWS_REGION=us-east-2 -n cert-manager

@varunvallabhan52
Copy link

Thank you for reaching out to Amazon AWS. We have resolved the query for more information refer the PR #53. Please reach out if you have any issues or questions.

@divyansh-gupta
Copy link
Contributor

A new release v1.0.0 has been cut that resolves this issue.

@divyansh-gupta divyansh-gupta unpinned this issue Nov 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
announcement Announce Code releases, Known Issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@divyansh-gupta @bradyburke @bsharma-tavisca @varunvallabhan52 @solonish