search

terraform-aws-modules / terraform-aws-iam

Terraform module to create AWS IAM resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/iam/aws
Apache License 2.0
787 stars 996 forks source link

(iam-role-for-service-accounts-eks) Missing permission for external-secrets when create mode is enabled. #441

Closed rajish closed 9 months ago

rajish commented 10 months ago

Description

Setting the external_secrets_secrets_manager_create_permission to true does not attach all permissions necessary to create secrets. One is missing: kms:GenerateDataKey.

Versions

Reproduction Code [Required]

module "external_secrets_irsa" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  version = "~> 5"

  role_name_prefix                                   = "${var.name_prefix}-external-secrets-"
  attach_external_secrets_policy                     = true
  external_secrets_secrets_manager_create_permission = true

  oidc_providers = {
    main = {
      provider_arn               = module.eks.oidc_provider_arn
      namespace_service_accounts = ["external-secrets:external-secrets-sa"]
    }
  }

  tags = var.common_tags
}

module "eks_blueprints_addons" {
  source  = "aws-ia/eks-blueprints-addons/aws"
  version = "~> 1.0"
...
  enable_external_secrets = true
  external_secrets = {
    chart_version = ">= 0.9.9"
    create_role   = false
    set = [
      {
        name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
        value = module.external_secrets_irsa.iam_role_arn
      }
    ]
  }
...
}

resource "kubectl_manifest" "secret_store" {
  yaml_body = <<-YAML
    apiVersion: external-secrets.io/v1beta1
    kind: SecretStore
    metadata:
      name: ${var.name_prefix}-store
      namespace: ${var.namespace}
    spec:
      provider:
        aws:
          region: ${var.aws_region}
          service: SecretsManager
          ${var.role_arn != null ? "role: ${var.role_arn}" : ""}
YAML
  depends_on = [
    kubectl_manifest.k8ssandra_cluster
  ]
}

resource "kubectl_manifest" "external_secret_cassandra_superuser" {
  yaml_body = <<-YAML
    apiVersion: external-secrets.io/v1alpha1
    kind: PushSecret
    metadata:
      name: ${var.name_prefix}-external-secret
      namespace: ${var.namespace}
    spec:
      refreshInterval: 1m
      secretStoreRefs:
      - name: ${var.name_prefix}-store
        kind: SecretStore
      selector:
        secret:
          name: ${var.secret_name}
      data:
      - match:
          secretKey: username
          remoteRef:
            remoteKey: ${var.aws_secret_name}/username
      - match:
          secretKey: password
          remoteRef:
            remoteKey: ${var.aws_secret_name}/password
YAML
  depends_on = [
    kubectl_manifest.secret_store
  ]
}

Steps to reproduce the behavior:

  1. Deploy external-secrets in the cluster with the role above
  2. Create a PushSecret

Expected behavior

The PushSecret is synced.

Actual behavior

The PushSecret fails with the following error:

et secret failed: could not write remote ref username to target secretstore xxxxx-store: AccessDeniedException: Access to KMS is not allowed status code: 400, request id: xxxxx-xxxx-xxxxx-xxxx

Additional context

Adding manually the kms:GenerateDataKey permission to the policy fixed the problem.

github-actions[bot] commented 9 months ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] commented 9 months ago

This issue was automatically closed because of stale in 10 days

github-actions[bot] commented 8 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.