I got there error message when the pod start up. But I can get applicaton log in datadog platform.

[designlee]

Describe the bug

Servicing mount request for pod datadog-agent-frrpw in namespace default using service account datadog-agent with region(s) cn-northwest-1

I1115 11:01:53.752422 1 auth.go:123] Role ARN for default:datadog-agent is arn:aws-cn:iam::108735437337:role/eksctl-aws-polestar-cn-northwest-1-swe-prod-a-Role1-0ToZfTinaRYm

E1115 11:01:53.830276 1 server.go:151] Failure getting secret values from provider type secretsmanager: cn-northwest-1: Failed to describe secret arn:aws-cn:secretsmanager:cn-northwest-1:036405048539:secret:org/datadog/china/apiKey-88kA97: AccessDeniedException: User: arn:aws-cn:sts::108735434334:assumed-role/eksctl-aws-polestar-cn-northwest-1-swe-prod-a-Role1-0ToZfTinaRYm/secrets-store-csi-driver-provider-aws is not authorized to perform: secretsmanager:DescribeSecret on resource: arn:aws-cn:secretsmanager:cn-northwest-1:036405048539:secret:org/datadog/china/apiKey-88kA97 because no resource-based policy allows the secretsmanager:DescribeSecret action

when the apikey rotate, I can't get the new apikey. why? somebody help me ,thanks a lot.

To Reproduce

Steps to reproduce the behavior:

Do you also notice this bug when using a different secrets store provider (Vault/Azure/GCP...)? Yes/No

If yes, the issue is likely with the k8s Secrets Store CSI driver, not the AWS provider. Open an issue in that repo.

Expected behavior

Environment: OS, Go version, etc.

Additional context Add any other context about the problem here.

[jirkafajfr]

Hi, you are trying to access secret from another account, which is not listed in the secret policy. Please try to read Access AWS Secrets Manager secrets from a different account. If you're still unsuccessful please contact the AWS support via the AWS console.