search

external-secrets / external-secrets

External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
https://external-secrets.io/main
Apache License 2.0
4.48k stars 844 forks source link

Kiam is not working. AWS provider. #579

Closed kuzm1ch closed 2 years ago

kuzm1ch commented 2 years ago

Kiam is not working. AWS provider.

ESO is not able to assume role provided in SecretStore.spec.provider.aws.role. v0.3.10

Examples of the outcome

"controllers.ExternalSecret","msg":"could not reconcile ExternalSecret","ExternalSecret":"******","SecretStore":"*****","error":"could not get secret data from provider: key \"external-secret-operator\" from ExternalSecret \"poc-key\": NoCredentialProviders: no valid providers in chain. Deprecated.
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: secretstore-papp-dev
spec:
  controller: dev
  provider:
    aws:
      service: SecretsManager
      role: arn:aws:iam::*******:role/*****
      region: eu-west-1

Observations (Constraints, Context, etc):

When I added Kiam annotation directly to the pod I received this error:

could not reconcile ExternalSecret","ExternalSecret":"poc-key","SecretStore":"*****","error":"could not get secret data from provider: key \"external-secret-operator\" from ExternalSecret \"poc-key\": AccessDenied: User: arn:aws:sts::****:assumed-role/****/kiam-kiam is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::*******:role/*******\n\tstatus code: 403, 
spec:
  template:
    metadata:
      annotations:
        iam.amazonaws.com/role: arn:aws:iam::*****:role/*****

It will be good to have Kiam configuration part documented somewhere.

kuzm1ch commented 2 years ago

on hold for now

moolen commented 2 years ago

Have you tried adding the annotation and leaving the provider.aws.role blank? From the error message above i see that the ESO pod already acquired credentials via kiam:

User: arn:aws:sts::****:assumed-role/****/kiam-kiam is not authorized to perform: sts:AssumeRole

If the role has the proper SSM/SM policy set everything should work i suppose.

kuzm1ch commented 2 years ago

After further investigation - ESO works fine with Kiam, but it needs some additional configuration. This is my resolution:

  1. Create a role with AssumeRole allowed policy. policy example 
    {
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": [
            "*"
        ]
    }
]
}
  2. Attach this role to ESO deployment. It can be done by putting these lines directly to manifest or with podAnnotations helm values block. 
    spec:
template:
metadata:
  annotations:
    iam.amazonaws.com/role: arn:aws:iam::*****:role/<role-with-assume-permissions>
  3. After it ESO will be able to assume role which was described in SecretStore.spec.provider.aws.role
moolen commented 2 years ago

Thanks for documenting this!