Cannot get External-Secrets to work with AWS EKS and Secrets Manager #529
Replies: 26 comments 11 replies
-
So first of what type of authentication are you trying to use for AWS? (I took the liberty of deleting your comment, and editing the issue. As the comment contained 2 copies of your values, one with the AWS account id which you may or may not be concerned with posting) |
Beta Was this translation helpful? Give feedback.
-
Thanks for modifying my post. So then it is either service accounts or AWS credentials but not both? So I could really uses someone's input I started with just the service account but then I added the AWS credentials because the external secret status reports ERROR, Missing credentials in config. Logging into the deployment the I can see the credentials are properly set. If I change the serviceAccount.create to false and copy out the annotation and name the generation the Kubernetes yam complains with Error: failed to parse values.yaml: error converting YAML to JSON: yaml: line 17: did not find expected key If I uncomment the annotation and name then the serviceaccount yaml is not generated but the deployment still references the name of the service account. serviceAccountName: {{ template "kubernetes-external-secrets.serviceAccountName" . }} So I am at a loss. |
Beta Was this translation helpful? Give feedback.
-
I'm not sure of the exact precedence order but I believe set environment variables will override any other credentials. There must be a service account, either created, or referenced by name to an already existing service account. If you are trying to use IAM roles for service account then set the annotation, if you are trying to use env variables for credentials then leave the annotation out. As listed here https://github.com/godaddy/kubernetes-external-secrets#aws-based-backends there is several different ways to provide authentication details for AWS backends. You can only use one at a time. And yes most of the docs here could use some love to better present the information it contains :) |
Beta Was this translation helpful? Give feedback.
-
Markus, Thanks for your reply. Set the annotation where - in the deployment or the service account? And is a role really required in the external secret. So I let the generation define a service account with an annotation specifying a role that has access to retrieve the secret but external secret complained of no credentials. I am attaching the deployment yamls for your reference. in another comment. If you could point out where I have gone wrong that would be really, really great. |
Beta Was this translation helpful? Give feedback.
-
This is what I get: kubectl get externalsecrets.kubernetes-client.io hello-service hello-service 0s ERROR, Missing credentials in config 11s |
Beta Was this translation helpful? Give feedback.
-
Here are the yaml files I am deploying. Tar extracts into templates. Trust relationship and policy are also included along with values.yaml. The only thing not included is the aws-creds secret. I am still getting reds error from the external secret. I definitely appreciate your assistance. |
Beta Was this translation helpful? Give feedback.
-
Assuming you have a role Set the annotation on the service account refering to this role serviceAccount:
annotations:
"eks.amazonaws.com/role-arn": 'arn:aws:iam::123456789101:role/webserver-secrets-role'
name: webserver-service-account Remove the secret envs, eg this section: envVarsFromSecret:
AWS_ACCESS_KEY_ID:
secretKeyRef: aws-credentials
key: id
AWS_SECRET_ACCESS_KEY:
secretKeyRef: aws-credentials
key: key in your external secret resource remove the roleArn: arn:aws:iam::123456789101:role/webserver-secrets-role
You should be able to confirm that the credentials are picked up by exec into the pod, AWS provides some examples here Hopefully that gets you further! I know there is some trouble getting up and running with IRSA, but it should work given all configuration is correct 😄 |
Beta Was this translation helpful? Give feedback.
-
Markus, I followed your instructions above and I think I am getting closer but I am still not quite there yet. Now I am able to create an external secret but the secret is not getting created with the role I am using. looking at the logs on the deployment pod, it seems that my role is not working correctly and the role being used to access secrets is the NodeInstanceRole instead of the role in the service account. I attached my policy to the NodeInstanceRole and the external secret generated the secret as advertised. So I need to figure out what is going on with my role. Code is attached along with a log snippet. I will keep you posted - that you for your assistance. |
Beta Was this translation helpful? Give feedback.
-
NodeInstanceRole is the last fallback in the credential chain. Its always a mystery to me why the IRSA credentials aren't picked up! securityContext:
fsGroup: 65534 Best to verify the configuration works without KES first. So the trust relationship is known to be working. |
Beta Was this translation helpful? Give feedback.
-
I think I figured this out. I keep destroying and recreating EKS clusters to keep costs down, but I was forgetting to recreate the IODC identity provider. Duh! I do my best work thinking in the shower. So this is now working in a us-east-2 1.18 EKS test cluster created from a CentOS 7 machine with kubectl 1.18.8 , aws 2.0.57, helm version 3.34, and eksctl 0.30.0. I am going redeploy this cluster with a KMS key acticated. Then I need to move this to our work cluster. it is EKS 1.17 cluster from a WSL Ubuntu running on Windows10, kubectl 1.17.7, aws 2.0.38, helm 3.3.0, and eksctl 0.28.1 (although eksctl does not come into play). I will keep you posted. |
Beta Was this translation helpful? Give feedback.
-
Markus, David |
Beta Was this translation helpful? Give feedback.
-
Markus, I do have two remaining questions. 1.) Can this be setup for all namespaces in the cluster or does External Secrets need to deploy to each namespace that requires a secret. 2.) Does this support rotating passwords? David |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Markus, How do I change the polling? Is there a parameter in values.yml to do that? So if I understand correctly, external secrets will watch across all namespaces even if it is in a namespace of its own? If that is the case, how does this work in a cluster with multiple apps each having an external secret. Would I add multiple roles to the service account and then restrict which roles a namespace is permitted to assume? |
Beta Was this translation helpful? Give feedback.
-
Markus, I see where I can change polling - I should have take closer look at the deployment. I have been playing around with deploying ket into it's own namespace and creating secrets others. It is pretty cool. Now I just need to work out the question above with the service account/namespace/password restriction. |
Beta Was this translation helpful? Give feedback.
-
Markus, Another set of questions if you are willing to answer - these are really design questions. I want to limit access from different namespaces to specific secrets. First, since this implementation works across all namespaces, there is only one service account. I presume there are two different ways to approach this. First, multiple roles pointing to the same serviceaccount for the KES deployment each with different secret policies. Then the service account would have a list of roles as annotations. The second, one role with a set of policies, one for each secret. The former would restrict namespaceaccess to a role and the latter would allow namespaces to restrict what password they have access to. I have not tried either of these - is one better than the other? Also, is KES centralized across nodegroups? Again, I appreciate your help. |
Beta Was this translation helpful? Give feedback.
-
You can do a setup with multiple IAM roles where the role used by the service account (SA) is allowed to assume the other roles. You can specify a Likewise you can use So given a secret key naming pattern of something like The annotation names are configurable. Additionally if you use those annotations you might want to set the environment variable |
Beta Was this translation helpful? Give feedback.
-
Markus, |
Beta Was this translation helpful? Give feedback.
-
I guess what you are talking about is this optional config in the external-secret: optional: specify role to assume when retrieving the data but what would the role look like and that policy would be attached? I appreciate your time. |
Beta Was this translation helpful? Give feedback.
-
Yes! :) The role would have trust relationship to your service account role (the one with the webidentity) and the policy would provide access to a subset of your secret manager resources. Example trust relationship: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789101:role/webserver-secrets-role"
},
"Action": "sts:AssumeRole"
}
]
} Policy could look something like this, to limit it to only get resources whose names starting with /development/ {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:Get*",
],
"Resource": "arn:aws:secretsmanager:us-east-2:123456789101:secret:/development/*"
}
]
} |
Beta Was this translation helpful? Give feedback.
-
Correct, if you will be using |
Beta Was this translation helpful? Give feedback.
-
Yeah! I was writing something when you just replied and I lost it. I was asking what the final service account policy should look like since in the README.md secrets were referenced directly. But now we are getting policies from the external secrets roles. Thus the SA just becomes a role with no policy and everything we need comes from the policy attached to the role in the external secret. Also the |
Beta Was this translation helpful? Give feedback.
-
Looks like it requires both annotations to be present. |
Beta Was this translation helpful? Give feedback.
-
Markus, I got the implementation to work. Now onto the iam.amazonaws.com/permitted, externalsecrets.kubernetes-client.io/permitted-key-name:, and ENFORCE_NAMESPACE_ANNOTATIONS=true feature. I thank you for you assistance - I will keep you posted. - David |
Beta Was this translation helpful? Give feedback.
-
Markus, |
Beta Was this translation helpful? Give feedback.
-
PRs welcome! We should really try to set up a docs site to be able to provide better structure for the docs but lack of time is apparently a thing :) |
Beta Was this translation helpful? Give feedback.
-
I set this up and and created a values.yaml to override the default values in the chart. I created a k8s secret called aws-credentials with keys id and key for and IAM user that has admin rights. I deployed the helm chart, created an AWS secret, and External secret following the documentation. The secret never gets created. If I do a describe on the external secret object I see and error:
Status: ERROR, Missing credentials in config
My values file is as follows. Looking for solution.
Beta Was this translation helpful? Give feedback.
All reactions