-
-
Notifications
You must be signed in to change notification settings - Fork 732
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
external-secrets not assuming web identity role #660
Comments
Hey @vitorfhc ! I think you got your issue covered, but just wanted to tell that both projects are implementations for kubernetes. |
@gusfcarvalho thanks for that! Just changed my helm charts to use |
SolutionFor anyone else getting to this point from Google, I had a bare-metal Kubernetes cluster (it's actually AKS, but I consider it bare-metal in the case of AWS EKS :) ). ObjectiveI wanted to set up the AWS IAM OIDC provider using the Azure AKS issuer URL. When the OpenID Configuration trust was set up, my aim was to allow the I went through some back and forth. But eventually, and if your environment setup is anything like me, I ended up with the following: apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: aws-parameter-store
spec:
provider:
aws:
auth:
jwt:
serviceAccountRef:
name: external-secrets
namespace: external-secrets
region: eu-central-1
service: ParameterStore And I did no change to the helm deployment of the External Secrets. However, I had to manually patch and annotate the apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/audience: sts.amazonaws.com # <- add this
eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXXXXXXXX:role/external-secrets # <- and this, manually!
meta.helm.sh/release-name: external-secrets
meta.helm.sh/release-namespace: external-secrets
labels:
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: external-secrets
app.kubernetes.io/version: v0.9.16
helm.sh/chart: external-secrets-0.9.16
name: external-secrets
namespace: external-secrets Problem No. 1This is a bit odd in my humble opinion. The reason is that this will restrict my External Secrets deployment to a single IAM Role. Imagine needing to have multiple Another odd thing here is that you can't specify your audience in your external-secrets/pkg/provider/aws/auth/auth.go Lines 261 to 264 in 3d96be0
This means that if I specify audience in my
Problem No. 2The stragest thing happens when you add apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: aws-parameter-store
spec:
provider:
aws:
auth:
jwt:
serviceAccountRef:
audiences:
- sts.amazonaws.com
name: external-secrets
namespace: external-secrets
region: eu-central-1
role: arn:aws:iam::XXXXXXXXXXXX:role/some-poor-role # <- this should be normal, right? right!?
service: ParameterStore This gets really hectic really fast.
And the source code for this behavior is here: external-secrets/pkg/provider/aws/auth/auth.go Lines 310 to 311 in 3d96be0
For some reason, unknown to me, External Secrets tries to assume a role before actually assuming my own role. It even falsely tries Problem No. 3The current hacky way of annotating the If you were thinking of creating multiple Service Accounts, though luck! Kubernetes allows only a single Service Account per pod. Expected BehaviorAt the very least, I would like to be able to have multiple This, in essence, means that I SHOULD be able to do this (even if not running inside AWS EKS cause it's a K8s cluster for heaven's sake): ---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: aws-parameter-store-ABC
spec:
provider:
aws:
auth:
jwt:
serviceAccountRef:
audiences:
- sts.amazonaws.com # <- this dude
name: external-secrets
namespace: external-secrets
region: eu-central-1
role: arn:aws:iam::XXXXXXXXXXXX:role/ABC # <- and this one
service: ParameterStore
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: aws-parameter-store-XYZ
spec:
provider:
aws:
auth:
jwt:
serviceAccountRef:
audiences:
- sts.amazonaws.com # <- and this
name: external-secrets
namespace: external-secrets
region: eu-central-1
role: arn:aws:iam::XXXXXXXXXXXX:role/XYZ # and also this, SHOULD all be possible!
service: ParameterStore Blog PostI have nothing else to add here to answer the title of this issue. But, at the same time, it would be a waste if I didn't do a shameless self-promotion to the same topic I'll be publicly writing about in my blog and readily available in a few days (by the time you read this, it's already available 😁 ). |
Hello,
I decided to install external-secrets using its kubernetes version.
For authenticating I chose the IAM roles for service accounts which provides the following environment variables:
But after trying to create an external secret I got the following error:
User: arn:aws:sts::<account-id>:assumed-role/<node role> is not authorized to perform: secretsmanager:GetSecretValue on resource: <secret-name> because no identity-based policy allows the secretsmanager:GetSecretValue action
This means external secrets didn't try to run
assumeRoleWithWebIdentity
using the given token to assumeAWS_ROLE_ARN
which has the right permissions.How could I assume the right role? Is there any missing configuration for me?
The text was updated successfully, but these errors were encountered: