feat: add option to assume role #144

moolen · 2019-08-09T13:53:19Z

This PR solves #143

It adds an option to specify a roleArn on a ExternalSecret CRD. The app will assume a role before retrieving the secret.

I tested it using localstack and AWS.

moolen · 2019-08-13T08:54:05Z

@silasbw could you please take a look if you have the time?

silasbw

hey @moolen, sorry for the delay. It's been vacation season over here.

Looks, good. One question.

silasbw · 2019-08-21T15:35:41Z

lib/poller.js

+   * @param {Object} namespace namespace object
+   * @param {Object} descriptor secret descriptor
+   */
+  async _isPermitted (namespace, descriptor) {


Do external secrets users need to add annotations to their namespaces if they're using the assume role feature?

they don't have to, it's optional. I added a test to verify all testcases.

README.md

Signed-off-by: Moritz Johner <[email protected]>

add option to restrict the range of assumed roles by specifying an regular expression on a namespace annotation Signed-off-by: Moritz Johner <[email protected]>

Signed-off-by: Moritz Johner <[email protected]>

moolen · 2019-08-22T11:28:00Z

@silasbw i addressed the issues and rebased, PTAL again.

keweilu

few nits

README.md

config/aws-config.js

Signed-off-by: Moritz Johner <[email protected]>

keweilu

Thanks for the PR!

mo-saeed · 2019-09-16T09:08:05Z

Just to mention, This pull request is really important for us.
@silasbw Hope it will get approved, merged and released soon so we can test it.
Thanks @moolen for implementing this !

anujgpatel · 2019-10-16T15:51:50Z

Thanks for this feature, do we have a tentative date when this can be released?

antoniotamer · 2019-10-21T23:31:20Z

Hi,

I got the impression from the docs in the master branch that role assumption is possible on a per-secret basis is possible. I went ahead and created a role for external-secrets to assume in all of my AWS accounts but it seems external-secrets isn't even trying to assume that role.

See below:

apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
  annotations:
  labels:
    clusterColor: black
    env: dev
    gitRepo: manual-test-delete-me
  name: manual-test-delete-me
  namespace: default
secretDescriptor:
  backendType: systemManager
  roleArn: <<a role arn that can be assumed>>
  data:
  - key: /glooe/license-key
    name: license-key

I'm running external-secrets 1.5.0. Do we need to wait on a release for this feature to be usable?

* feat: add option to assume role when retrieving secrets Signed-off-by: Moritz Johner <[email protected]> * feat: restrict iam roles per namespace add option to restrict the range of assumed roles by specifying an regular expression on a namespace annotation Signed-off-by: Moritz Johner <[email protected]> * chore: add test to verify assume-role access control * docs: add policy for secrets manager * docs: add assume-role limits per ns Signed-off-by: Moritz Johner <[email protected]> * docs: fix spelling Signed-off-by: Moritz Johner <[email protected]> * chore: remove stupid code

moolen force-pushed the feat/assume-role branch from 907f9c2 to 4548af4 Compare August 13, 2019 20:56

silasbw requested a review from keweilu August 21, 2019 15:31

silasbw reviewed Aug 21, 2019

View reviewed changes

keweilu reviewed Aug 21, 2019

View reviewed changes

README.md Outdated Show resolved Hide resolved

moolen added 5 commits August 21, 2019 22:32

feat: add option to assume role when retrieving secrets

a8564ec

Signed-off-by: Moritz Johner <[email protected]>

feat: restrict iam roles per namespace

de15871

add option to restrict the range of assumed roles by specifying an regular expression on a namespace annotation Signed-off-by: Moritz Johner <[email protected]>

chore: add test to verify assume-role access control

7a17a11

docs: add policy for secrets manager

f8d7286

docs: add assume-role limits per ns

7c1f646

Signed-off-by: Moritz Johner <[email protected]>

moolen force-pushed the feat/assume-role branch from 747a457 to 7c1f646 Compare August 21, 2019 20:33

keweilu reviewed Aug 28, 2019

View reviewed changes

README.md Outdated Show resolved Hide resolved

config/aws-config.js Show resolved Hide resolved

moolen added 2 commits August 29, 2019 16:08

docs: fix spelling

84be33f

Signed-off-by: Moritz Johner <[email protected]>

chore: remove stupid code

4a99160

keweilu approved these changes Aug 29, 2019

View reviewed changes

moolen mentioned this pull request Sep 8, 2019

Support to have IAM user Assume a Role when retrieving secret data #143

Closed

keweilu merged commit f0ce6ed into external-secrets:master Sep 27, 2019

mmcaya mentioned this pull request Oct 14, 2019

Use of "iam.amazonaws.com/permitted" annotation causes conflicts with existing KIAM setups #174

Closed

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add option to assume role #144

feat: add option to assume role #144

moolen commented Aug 9, 2019

moolen commented Aug 13, 2019

silasbw left a comment

silasbw Aug 21, 2019

moolen Aug 21, 2019

moolen commented Aug 22, 2019 •

edited

Loading

keweilu left a comment

keweilu left a comment

mo-saeed commented Sep 16, 2019 •

edited

Loading

anujgpatel commented Oct 16, 2019

antoniotamer commented Oct 21, 2019

feat: add option to assume role #144

feat: add option to assume role #144

Conversation

moolen commented Aug 9, 2019

moolen commented Aug 13, 2019

silasbw left a comment

Choose a reason for hiding this comment

silasbw Aug 21, 2019

Choose a reason for hiding this comment

moolen Aug 21, 2019

Choose a reason for hiding this comment

moolen commented Aug 22, 2019 • edited Loading

keweilu left a comment

Choose a reason for hiding this comment

keweilu left a comment

Choose a reason for hiding this comment

mo-saeed commented Sep 16, 2019 • edited Loading

anujgpatel commented Oct 16, 2019

antoniotamer commented Oct 21, 2019

moolen commented Aug 22, 2019 •

edited

Loading

mo-saeed commented Sep 16, 2019 •

edited

Loading