Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add ssm:DescribeParameters permission to external-secrets IAM role for service account (IRSA) #348

Merged
merged 2 commits into from
Mar 21, 2023
Merged

fix: Add ssm:DescribeParameters permission to external-secrets IAM role for service account (IRSA) #348

merged 2 commits into from
Mar 21, 2023

Conversation

jaydeland
Copy link
Contributor

@jaydeland jaydeland commented Mar 13, 2023
edited
Loading

ssm:DescribeParameters is required to sync secrets from ParameterStore

Description

Error from the external-secrets log:
aws-role is not authorized to perform: ssm:DescribeParameters on resource: * because no identity-based policy allows the ssm:DescribeParameters action\n\tstatus code: 400, request id: ff","stacktrace":"github.com/external-secrets/external-secrets/pkg/controllers/e │

Motivation and Context

When using AWS System Manager Parameters with external-secrets(ESO) the secrets can not be synced unless the AWS Role that is mapped to the EKS Service Account has the ssm:DescribeParameters action.

Breaking Changes

How Has This Been Tested?

  1. Using the module: "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  2. provider: aws
  3. ESO SecretStore with
spec:
  provider:
    aws:
      service: ParameterStore
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: <sa_name>
  1. Other values passed to the module
attach_external_secrets_policy = true
allow_self_assume_role = true
  • I have executed pre-commit run -a on my pull request
pre-commit run -a
[INFO] Initializing environment for https://github.com/antonbabenko/pre-commit-terraform.
[INFO] Initializing environment for https://github.com/pre-commit/pre-commit-hooks.
[INFO] Installing environment for https://github.com/pre-commit/pre-commit-hooks.
[INFO] Once installed this environment will be reused.
[INFO] This may take a few minutes...
Terraform fmt............................................................Passed
Terraform validate.......................................................Passed
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Passed
check for merge conflicts................................................Passed
fix end of files.........................................................Passed

@jaydeland
Update policies.tf
a133145 
ssm:DescribeParameters is required to sync secrets from ParameterStore
@jaydeland jaydeland changed the title Update policies.tf fix: Update policies.tf Mar 15, 2023
@jaydeland
Copy link
Contributor Author

jaydeland commented Mar 21, 2023
edited
Loading

@antonbabenko or @bryantbiggs - Am I missing anything else to get this PR approved?

@bryantbiggs bryantbiggs changed the title fix: Update policies.tf fix: Add ssm:DescribeParameters permission to external-secrets IAM role for service account (IRSA) Mar 21, 2023
@bryantbiggs
Copy link
Member

are you sure this will work or does it need to be a wildcard? aws-ia/terraform-aws-eks-blueprints#1504

@jaydeland
Copy link
Contributor Author

jaydeland commented Mar 21, 2023
edited
Loading

are you sure this will work or does it need to be a wildcard? aws-ia/terraform-aws-eks-blueprints#1504

bryantbiggs
bryantbiggs approved these changes Mar 21, 2023
View reviewed changes
Copy link
Member

@bryantbiggs bryantbiggs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems safe enough to try as is since the ARNs are in the users control - thank you!

@bryantbiggs bryantbiggs merged commit fe8d73b into terraform-aws-modules:master Mar 21, 2023
antonbabenko pushed a commit that referenced this pull request Mar 21, 2023
@semantic-release-bot
chore(release): version 5.14.2 [skip ci]
fb9e74c 
### [5.14.2](v5.14.1...v5.14.2) (2023-03-21)

### Bug Fixes

* Add `ssm:DescribeParameters` permission to `external-secrets` IAM role for service account (IRSA) ([#348](#348)) ([fe8d73b](fe8d73b))
@antonbabenko
Copy link
Member

This PR is included in version 5.14.2 🎉

@jaydeland jaydeland deleted the patch-1 branch March 21, 2023 21:27
@jaydeland jaydeland mentioned this pull request Mar 23, 2023
Merged
2 tasks
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bryantbiggs bryantbiggs bryantbiggs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jaydeland @bryantbiggs @antonbabenko