New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault not using role provided by IAM Roles for Service Accounts (IRSA) #10458
Comments
I got this to work by manually adding the |
Thanks for pointing this out (and providing the solution)! It looks like setting that env variable is part of the aws setup, but either way i've labeled it so the docs team can take a look. |
@kirkdave what version of EKS are you using? EKS should automatically inject the |
I'm currently running into this issue on an EKS 1.17 cluster. Could I bother you to post your chart override values for Vault? I've gone into detail at hashicorp/vault-helm#368 (comment) |
I've tried now manually setting the AWS_ROLE_ARN. Attempting to init the vault looks like a step backward for me as it attempts to use the root role:
With the AWS_ROLE_ARN attached automatically, it looks like Vault attempts to use the correct role but without success:
This despite setting the correct policy permissions via Terraform:
|
This turned out to be KMS key related. For some reason the original key just didn't want to allow permissions. Created a new key and boom, all is well |
I am also facing such issue, i have tried by adding "AWS_ROLE_ARN", to the env. It doesn't consider it. Also below error is for ServiceAccount. eal.awskms: error assuming role: roleARN=* tokenPath=/var/run/secrets/eks.amazonaws.com/serviceaccount/token sessionName= err="WebIdentityErr: failed to retrieve credentials |
Ran into a same error message on an older EKS-based Vault that's gone from evolution from KIAM to IRSA. In my case, the issue was that the KMS Key Policy only had the default policy (the one that allows Admin access). This worked in the KIAM environment. I had to explicitly add my IRSA role to the KMS Key Policy to get Vault to auto unseal with KMS when using IRSA. In hindsight, this makes sense. Had to change from:
to:
|
I got it working with Vault v1.14.1 |
Definitively KO in 1.14.0, got it working in Vault v1.14.1 simply by changing the image tag. Every other resources (Service account, annotations, IAM role, KMS policy and so on) were unchanged between the two image tags |
Describe the bug
When running Vault on EKS (deployed via Helm chart) it is not using the IAM role annotated on the service account to get permissions for AWS API calls. It uses the IAM role assigned to the worker node
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Vault should use the role annotated on the service account to authenticate with AWS and successfully describe the KMS key
Environment:
Additional context
To validate the IAM role can be successfully assumed using IRSA I have run the following command, which was successful
Which returns
The text was updated successfully, but these errors were encountered: