search

crossplane-contrib / provider-jet-aws

AWS Provider for Crossplane that is built with Terrajet.
https://crossplane.io
Apache License 2.0
37 stars 30 forks source link

ProviderConfig - assumeRoleARN doesn't work #207

Closed liorfranko closed 2 years ago

liorfranko commented 2 years ago

What happened?

I'm trying to use the assumeRoleARN in ProviderConfig but it doesn't work. I followed the guide https://github.com/crossplane-contrib/provider-jet-aws/blob/main/AUTHENTICATION.md

I created a role in AWS, and mapped it to the correct SA in the correct namespace (provider-jet-aws-302696b1dbdb).

I'm getting the following errors: api error AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity

How can we reproduce it?

---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-jet-aws
spec:
  package: "crossplane/provider-jet-aws:main"
  controllerConfigRef:
    name: aws-config

---
apiVersion: aws.jet.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: aws-jet-provider
spec:
  assumeRoleARN: arn:aws:iam::*******:role/<role_name>
  credentials:
    source: InjectedIdentity
---
apiVersion: ecr.aws.jet.crossplane.io/v1alpha2
kind: Repository
metadata:
  name: sample-repository
spec:
  forProvider:
    region: us-east-1
    imageScanningConfiguration:
      - scanOnPush: true
    imageTagMutability: "IMMUTABLE"
  providerConfigRef:
    name: aws-jet-provider

Create the IAM with trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Federated": "************"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "************:sub": "system:serviceaccount:crossplane:<service_account_name>"
                }
            }
        }
    ]
}

What environment did it happen in?

Crossplane version:

haarchri commented 2 years ago

Can you check cloudtrail?

configuration looks great but your issue is more setup related with IRSA/ serviceAccount because the serviceAccount is not allowed to assumeRoleWithWebidentity ...

liorfranko commented 2 years ago

Sorry, it was my bad, I was using the wrong ProviderConfig.