-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assume IAM Role for a Service Account not working #2848
Comments
Hi @marcincuber, We'd done extensive testing internally before merging TokenFileWebIdentityCredentials You can view CredentialProviderChain at Lines 61 to 69 in 5d8a5ea
Can you confirm that none of the other Credential Providers taking precedence over TokenFileWebIdentityCredentials? |
Hi @trivikr, We tested this by building kubernetes-external-secrets release 1.3.1 with latest aws-sdk-js (2.543.0) and we encountered the following error:
To reproduce, you can try the helm chart that we used: https://github.com/Hobsons/kubernetes-external-secrets/tree/v1-3-1-with-updates/charts/kubernetes-external-secrets with the following instructions:
Variable Definitions: On creating an object of type We also tried to test with the latest version(1.5.0) of kubernetes-external-secrets. 1.5.0 has some assume role functionality based on a namespace annotations so we are more confident with our error reproduction with version 1.3.1. The error that we encountered with that version 1.3.1 was: Sidenote: kubernetes-external-secrets version 1.3.1 with kiam integration works without a hitch! |
@ajredniwja will look into the test case to repro and verify with documentation as part of triaging. |
@farshad-hobsons can you try providing the credentials explicitly using const secretsManagerClient = new AWS.SecretsManager({credentials: new AWS.TokenFileWebIdentityCredentials()}); when initiating the SecretsManager client to make sure EKS credentials are working fine? |
Thank you @ajredniwja & @trivikr for providing help on this. @ajredniwja , on adding explicit The above error led us to think that there was some form of permission issue and we quickly discovered that we have this aws/amazon-eks-pod-identity-webhook#8 issue. We then successfully tested the workaround in kubernetes-sigs/external-dns#1185 (comment) to set My conclusion is that this is not an The implication is that: until upstream is fixed, non-root account in containers might need the workaround of |
@farshad-hobsons, I can reach to the docs team for adding some details. Closing this issue now, please reach out if you have any additional questions. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread. |
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug
Application has been upgraded to the latest version of aws-sdk and temporary credentials are not available when creating e.g.
const secretsManagerClient = new AWS.SecretsManager(awsConfig.secretsManagerConfig)
. I am using latest version in order be able to use token_file_web_identity_credentials.Application is running in kubernetes 1.14.
There is an open issue in the mentioned application. external-secrets-issue
SDK version number
v2.528.0
Observed behavior
Node application is correctly receiving desired variables i.e.
AWS_ROLE_ARN
,AWS_WEB_IDENTITY_TOKEN_FILE
, however assumed role credentials are not available.So, credentials that are being used are taken from the node's instance profile whereas they should be available after assuming
AWS_ROLE_ARN
, log:"level":50,"time":1568621518210,"pid":18,"hostname":"external-secrets-7595968467-2cfb2","message":"User: arn:aws:sts::01111111111:assumed-role/ceng-eks-test-worker-node/i-01f479d9225b21219 is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:eu-west-1:01111111111:secret:newrelic-keys-f9UfVW","code":"AccessDeniedException","time":"2019-09-16T08:11:58.210Z","requestId":"d6ab153d-96c3-48c4-bc11-e9c89d68b07c","statusCode":400,"retryable":false,"retryDelay":69.02564110661021,"msg":"failure while polling the secret newrelic-account-key","stack":"AccessDeniedException: User: arn:aws:sts::01111111111:assumed-role/ceng-eks-test-worker-node/i-01f479d9225b21219 is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:eu-west-1:01111111111:secret:newrelic-keys-f9UfVW\n at Request.extractError (/app/node_modules/aws-sdk/lib/protocol/json.js:51:27)\n at Request.callListeners (/app/node_modules/aws-sdk/lib/sequential_executor.js:106:20)\n at Request.emit (/app/node_modules/aws-sdk/lib/sequential_executor.js:78:10)\n at Request.emit (/app/node_modules/aws-sdk/lib/request.js:683:14)\n at Request.transition (/app/node_modules/aws-sdk/lib/request.js:22:10)\n at AcceptorStateMachine.runTo (/app/node_modules/aws-sdk/lib/state_machine.js:14:12)\n at /app/node_modules/aws-sdk/lib/state_machine.js:26:10\n at Request.<anonymous> (/app/node_modules/aws-sdk/lib/request.js:38:9)\n at Request.<anonymous> (/app/node_modules/aws-sdk/lib/request.js:685:12)\n at Request.callListeners (/app/node_modules/aws-sdk/lib/sequential_executor.js:116:18)","type":"Error","v":1}
Expected behavior
A clear and concise description of what you expected to happen.
I expect that if variables
AWS_ROLE_ARN
,AWS_WEB_IDENTITY_TOKEN_FILE
andAWS_REGION
, credentials will be assume and then automatically passed into e.g. AWS.SecretsManager.Based on the description in token_file_web_identity_credentials.js
I wouldn't need to do anything extra in terms of setup.
Any chances to point me in the right direction or provide some help? Thanks
The text was updated successfully, but these errors were encountered: