The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store, and mount them into Kubernetes pods.
Apache License 2.0
438
stars
123
forks
source link
Secret access cross account without resource based policy #360
We are running into similar issue where we want IRSA to have cross account to secrets(Secrets stored in central security account) while the pod needs to have a IRSA role which also have access to other local resources within the account where cluster runs(workload account).
Is it possible to use secret store to use IRSA with cross account access without having to set policy at resource level.
We have lot of secrets to manage and it is quite a trouble to set access at each secret level. Any pointers would be appreciated.
Sorry, @prakashbalaji - cross-account access is not possible without a resource policy. This is an IAM behavior in AWS and not something we can change in the CSI driver plugin.
Referring to this issue in this thread - https://github.com/aws/secrets-store-csi-driver-provider-aws/issues/19
We are running into similar issue where we want IRSA to have cross account to secrets(Secrets stored in central security account) while the pod needs to have a IRSA role which also have access to other local resources within the account where cluster runs(workload account).
Is it possible to use secret store to use IRSA with cross account access without having to set policy at resource level.
We have lot of secrets to manage and it is quite a trouble to set access at each secret level. Any pointers would be appreciated.
Thanks