The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store, and mount them into Kubernetes pods.
While EKS OIDC creation defaults to sts.amazonaws.com kops defaults to amazonaws.com, but the bigger thing is to be completely compliant with pod-identity-webhook the audience annotation must be respected instead of a hard coded constant.
Code Changes in auth.go
arnAnno = "eks.amazonaws.com/role-arn"
audienceAnno = "eks.amazonaws.com/audience"
docURL = "https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html"
defaultAudience = "sts.amazonaws.com"
ProviderName = "secrets-store-csi-driver-provider-aws"
)
func (p authTokenFetcher) FetchToken(ctx credentials.Context) ([]byte, error) {
svcAcc, err := p.k8sClient.ServiceAccounts(p.nameSpace).Get(ctx, p.svcAcc, metav1.GetOptions{})
if err != nil {
return nil, err
}
audience := svcAcc.Annotations[audienceAnno]
if len(audience) <= 0 {
audience = defaultAudience
}
// Use the K8s API to fetch the token from the OIDC provider.
tokRsp, err := p.k8sClient.ServiceAccounts(p.nameSpace).CreateToken(ctx, p.svcAcc, &authv1.TokenRequest{
Spec: authv1.TokenRequestSpec{
Audiences: []string{audience},
},
}, metav1.CreateOptions{})
if err != nil {
return nil, err
}
return []byte(tokRsp.Status.Token), nil
}
While EKS OIDC creation defaults to
sts.amazonaws.com
kops defaults toamazonaws.com
, but the bigger thing is to be completely compliant with pod-identity-webhook the audience annotation must be respected instead of a hard coded constant.Code Changes in auth.go