-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create AWS KMS new key issue #685
Comments
Could you reformat the YAML and code snippets with markdown? Also it's really hard to read/reproduce with all the indentation gone. See |
Hello @muvaf apologies for that, I've marked a template I've used for object creation and uploaded an output of kubectl for convience. |
I am also getting an error while creating not exactly similar, "failed to describe Key: EmptyStaticCreds: static credentials are empty". [ NOTE: Using IRSA for credentials ]
|
just to add created the sample key from the documentation, even that https://github.com/crossplane/provider-aws/blob/master/examples/kms/key.yaml tired with aws cli, and it worked with aws cli fine , so can anyone suggest on this ?
|
what is the exception in crossplane when you create the example ?
|
I am similar getting an error when trying to create an AWS KMS key: Below is my example:
Crossplane version: 1.2.2 |
today we also have one environment with this issue directly in eks... looks like directly after applied the ressource in k8s - crossplane adds annotation for example: |
I have found the same issue still occurs.
manifest-1.yaml - Invalid keyIdapiVersion: kms.aws.crossplane.io/v1alpha1
kind: Key
metadata:
name: "martin"
labels:
purpose: paas-orgs
provider: aws
spec:
deletionPolicy: "Delete"
providerConfigRef:
name: crossplane-provider-aws
forProvider:
bypassPolicyLockoutSafetyCheck: false
customerMasterKeySpec: "SYMMETRIC_DEFAULT"
enabled: true
keyUsage: "ENCRYPT_DECRYPT"
origin: "AWS_KMS"
policy: "POLICY JSON"
region: "eu-west-1"
tags:
- tagKey: author
tagValue: crossplane-provider-aws
writeConnectionSecretToRef:
name: "martin-test-xplane-kms-key-secret"
namespace: "crossplane-system" Results:
manifest-2.yaml - keyId not foundUsing a valid keyId but the key doesn't exist on the account, but my objective is to create a new key. apiVersion: kms.aws.crossplane.io/v1alpha1
kind: Key
metadata:
name: "martin"
annotations:
crossplane.io/external-name: "55555555-089b-4193-bf05-03f6a3e743c4"
labels:
purpose: paas-orgs
provider: aws
spec:
deletionPolicy: "Delete"
providerConfigRef:
name: crossplane-provider-aws
forProvider:
bypassPolicyLockoutSafetyCheck: false
customerMasterKeySpec: "SYMMETRIC_DEFAULT"
enabled: true
keyUsage: "ENCRYPT_DECRYPT"
origin: "AWS_KMS"
policy: "... POLICY JSON ..."
region: "eu-west-1"
tags:
- tagKey: author
tagValue: crossplane-provider-aws
writeConnectionSecretToRef:
name: "martin-test-xplane-kms-key-secret"
namespace: "crossplane-system" Results:
Using an existing keyId it works as expected attaching the k8s resource to the existing AWS one.
|
in my point of view the problem is that provider-aws directly after kubectl apply adds the k8s object also adds the annotation fir external-name and the problem with failed to describe key is then from this code-snip: https://github.com/crossplane/provider-aws/blob/master/pkg/controller/kms/key/zz_controller.go#L82 because the Observer thoughts that he need to check if the key exists ... |
Hey folks! So the issue with the external-name is due to the fact that the KMS key ID is non-deterministic I believe (correct me if I am wrong). What we would want to do in this case is override the default initializers, like we do here: This is saying only use The static credentials bug is a separate issue that needs to be addressed in authentication with the v1 API. |
we have changed to |
feat(ec2): add aws_vpc_security_group_ingress/egress_rule resource
What happened?
Hello crossplane community,
An error occurs when a new AWS KMS key is created.
How can we reproduce it?
Crossplane installed as k8s operator as replicaset with crossplane pod, aws provider and rbac manager.
I am trying to create a new KMS key, empty one as described below:
file: newkms.yaml
Once I run kubectl apply -f newkms.yaml
I get Invalid keyID error.
Error description:
kubectl-output-kms-key.txt
What environment did it happen in?
AWS environment:
K8s v1.18.9-eks-d1db3c
Crossplane version: 1.2.1
Am I missing something or this looks like a bug, on slack channel there was a kind of similar issue but also with defining an external-name in annotations.
Any advice or help really appreciated. Thank you.
The text was updated successfully, but these errors were encountered: