Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubernetes-addons/external-secrets // SA IAM permissions need wildcard to use find.path feature #75

Closed
1 task done
daniel-ciaglia opened this issue Mar 20, 2023 · 0 comments · Fixed by #76
Closed
1 task done

kubernetes-addons/external-secrets // SA IAM permissions need wildcard to use find.path feature #75

daniel-ciaglia opened this issue Mar 20, 2023 · 0 comments · Fixed by #76

Comments

@daniel-ciaglia
Copy link
Contributor

Description

Using the more advanced dataFrom.find (ESO Docs) feature of ESO, resulted in the following error

{
  "level": "error",
  "ts": 1679312792.8673346,
  "logger": "controllers.ExternalSecret",
  "msg": "could not get secret data from provider",
  "ExternalSecret": "<foo>/<foo>-ssm",
  "SecretStore": "default-parameter-store",
  "error": "AccessDeniedException: User: arn:aws:sts::<account>:assumed-role/external-secrets-sa-irsa/external-secrets-provider-aws is not authorized to perform: ssm:DescribeParameters on resource: arn:aws:ssm:eu-central-1:<account>:* because no identity-based policy allows the ssm:DescribeParameters action\n\tstatus code: 400, request id: 0d70ad3c-f5c7-4995-af71-ae43e15cde80",
  "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:121\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:320\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:234"
}

There is no clear documentation what IAM permissions are needed to run ssm:DescribeParameters, but there are hints a wildcard is needed

  • from the error message above
  • some implicit documentation pieces AWS SSM Docs

By adding the following statement to the SA IAM policy, the controller was happy and created the k8s secret

        {
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ssm:*:*:*",
            "Sid": ""
        },
  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version: 4.16

Reproduction Code [Required]

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: foo-ssm
spec:
  refreshInterval: 15m
  secretStoreRef:
    kind: ClusterSecretStore
    name: default-parameter-store
  target:
    creationPolicy: Merge
    name: foo
  dataFrom:
    - find:
        name:
          regexp: ".*"
        path: /env/bar/foo

Steps to reproduce the behavior:

  • create SSM parameter structure matching the above path
  • create cluster with external-secrets enabled
  • apply manifest

Expected behaviour

The secret is filled with data

Actual behaviour

Error see above
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@daniel-ciaglia