Issuer with IRSA needs ambient credentials flag

This should help reduce the amount of time people might waste trying to figure out how to resolve the following error: ``` error instantiating route53 challenge solver: unable to construct route53 provider: empty credentials; perhaps you meant to enable ambient credentials? ``` A couple of related bug reports: * cert-manager/cert-manager#3009 * cert-manager/cert-manager#3079
rossigee · Sep 13, 2021 · c13890e · c13890e
1 parent 4f6dca9
commit c13890e
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/content/en/docs/configuration/acme/dns01/route53.md b/content/en/docs/configuration/acme/dns01/route53.md
@@ -180,6 +180,8 @@ spec:
 
 Note that, as mentioned above, the pod is using `arn:aws:iam::XXXXXXXXXXX:role/cert-manager` as a credentials source in Account X, but the `ClusterIssuer` ultimately assumes the `arn:aws:iam::YYYYYYYYYYYY:role/dns-manager` role to actually make changes in Route53 zones located in Account Y.
 
+If you are using an Issuer instead of a ClusterIssuer and assuming a role you will need to ensure that cert-manager is started with the `--issuer-ambient-credentials=true` argument.
+
 ## EKS IAM Role for Service Accounts (IRSA)
 
 While [`kiam`](https://github.com/uswitch/kiam) / [`kube2iam`](https://github.com/jtblin/kube2iam) work directly with cert-manager, some special attention is needed for using the [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) feature available on EKS.