AWS IAM Authentication - Experiencing issues because VSO is not renewing IAM Role Token inside Kuberenetes Pod (IRSA)

ricoberger / vault-secrets-operator

Create Kubernetes secrets from Vault for a secure GitOps based workflow.

MIT License

633 stars 103 forks source link

AWS IAM Authentication - Experiencing issues because VSO is not renewing IAM Role Token inside Kuberenetes Pod (IRSA) #271

Closed altingjonbalajj closed 4 months ago

altingjonbalajj commented 5 months ago

We are experiencing issues with VSO because the AWS IAM IRSA token is not being renewed by VSO once the AWS Session Token expires it cannot do aws sts get-caller-identity call and hence it fails authentication on Vault.

Possible fix if true: Creating a self renewing mechanism for AWS Session Token.

altingjonbalajj commented 4 months ago

Fixed this by setting VAULT_TOKEN_MAX_TTL to 1800 since this forces reauthentication to AWS using WEB IDENTITY TOKEN.