Skip to content
This repository has been archived by the owner on Jul 26, 2022. It is now read-only.

Support IAM roles for service accounts #240

Closed
dudicoco opened this issue Dec 3, 2019 · 4 comments
Closed

Support IAM roles for service accounts #240

dudicoco opened this issue Dec 3, 2019 · 4 comments

Comments

@dudicoco
Copy link

dudicoco commented Dec 3, 2019

The new feature which supports assigning IAM roles directly to pods was recently released:
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

Currently, the kubernetes-external-secrets pod is not able to assume the role and is using the node assigned role instead, although the aws-sdk version in nodejs supports the new feature.
@Flydiverny
Copy link
Member

@dudicoco Have you checked all the kinks in the previous issue? #164

@dudicoco
Copy link
Author

dudicoco commented Dec 3, 2019
edited by Flydiverny
Loading

@Flydiverny I have now checked all of the related issues.
Everything seems to be configured properly on my side, but I am experiending the same issue as url

@Flydiverny
Copy link
Member

Somehow I managed to link to the wrong issue was meant to refer to #161

I haven't tested this myself but my understanding is that if kiam or something else provides credentials to the pod, these are used before the IRSA credentials.

As seen here:
https://github.com/aws/aws-sdk-js/blob/v2.575.0/lib/node_loader.js#L61-L69

Please verify that you are not using other means of providing AWS credentials to the pod that have higher priority than TokenFileWebIdentityCredentials which should be what is used for IRSA

@Flydiverny
Copy link
Member

Closing this as it seems resolved by discussion in #200

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Flydiverny @dudicoco