search

kelseyhightower / confd

Manage local application configuration files using templates and data from etcd or consul
MIT License
8.33k stars 1.41k forks source link

Confd can't authenticate with ssm backend #854

Open hgibsonqb opened 2 years ago

hgibsonqb commented 2 years ago

Hi,

I'm running confd in in a container in eks. The pod has a service account which is associated with an iam role. https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

The AWS environment variables in the pod look like this. I've also tested without AWS_SDK_LOAD_CONFIG set with same results.

AWS_SDK_LOAD_CONFIG=1
AWS_REGION=us-east-2
AWS_DEFAULT_REGION=us-east-2
AWS_ROLE_ARN=<my role arn>
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

I'm able to see valid aws configuration

# aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************G3Z6 assume-role-with-web-identity    
secret_key     ****************Uy6T assume-role-with-web-identity    
    region                us-east-2              env    AWS_DEFAULT_REGION

I'm also able to access the ssm parameters through the aws cli

# aws ssm get-parameter --name <my prefix>/<my ssm parameter name>
{
    "Parameter": {
        "Name": "<my ssm parameter>",
        "Type": "SecureString",
        "Value": "<my value>",
        "Version": 1,
        "LastModifiedDate": 1626799800.065,
        "ARN": "<my arn>",
        "DataType": "text"
    }
}

However trying to access with confd ssm parameter backend returns an error

confd -onetime -backend ssm -prefix /<my prefix> -log-level debug
2022-02-02T19:39:08Z indigo-web-m-76cdb94fc8-jnx99 confd[39]: INFO Backend set to ssm
2022-02-02T19:39:08Z indigo-web-m-76cdb94fc8-jnx99 confd[39]: INFO Starting confd
2022-02-02T19:39:08Z indigo-web-m-76cdb94fc8-jnx99 confd[39]: INFO Backend source(s) set to 
2022-02-02T19:39:08Z indigo-web-m-76cdb94fc8-jnx99 confd[39]: FATAL NoCredentialProviders: no valid providers in chain. Deprecated.
    For verbose messaging see aws.Config.CredentialsChainVerboseErrors

I'm using confd version confd-0.16.0-linux-amd64 and awscli version aws-cli/1.22.46 Python/3.7.3 Linux/5.4.162-86.275.amzn2.x86_64 botocore/1.23.46. The container os is x86_64 GNU/Linux.

My toml file looks like this

[template]
src  = "<my file tmpl>"
dest = "<my file yaml>"
mode = "0640"
uid  = 1000
gid  = 1000

<my file tmpl> looks like this

:ENV:
  <MY PARAM>: {{getv "/<my prefix>/<my ssm parameter name>" ""}}
hgibsonqb commented 2 years ago

I did some investigation and it's probably because the aws-go-sdk version used by confd is very old. In the go package lock https://github.com/kelseyhightower/confd/blob/master/Gopkg.lock it's pinned to version "v1.13.41" from 2018.

The session package's environment variable config file from that version has no option for WEB_IDENTITY_TOKEN_FILE or AWS_ROLE_ARN https://github.com/aws/aws-sdk-go/blob/9a2fe34af9644afba4a1a1406966e78eb0e985af/aws/session/env_config.go#L19-L98

The most recent version does though https://github.com/aws/aws-sdk-go/blob/main/aws/session/env_config.go#L131-L137

Would it be possible to upgrade the aws-go-sdk version?

abtreece commented 2 years ago

Hey @hgibsonqb you could give my fork of confd a shot.