-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Service account token request from synced service account does not work with AWS IRSA #1310
Comments
@giepa thanks for creating this issue! That is expected, since vcluster has its own service accounts and certificates. You will need to add the annotation to the actual workload service account and then AWS should inject a token automatically. |
@FabianKramm thanks for your response, could you clarify:
Which annotation are you referring to? In our case, the workload service account is not being used, instead a token is requested for a given service account, in a given namespace. To give more context, we are running external-secrets-operator in vcluster. The operator has the concept of secret store, where a service account reference is provided, for example:
For the above example, external secrets operator, will request a token for service account
Is there a way around this? Would vcluster be able to request tokens from the host cluster instead, when service account sync is enabled? |
@giepa did you manage to get an answer to this? we have exactly the same need. It would be wonderful if we could do it via IRSA. If that is not possible, an alternative (which you prob already considered) would be to configure the provider to use explicit IAM account and credentials, but this kind of negates the advantages of IRSA/AWS and is less secure. |
@joaocc as an interim, we did configure the provider to use explicit IAM account and credentials, as you said its not secure, we are getting away with it only because its for dev environments, for production such an approach would be a no go. If you do come up with something better, please let us know. |
Thanks. As a quick clarification, I didn't meant it was not secure, but simply less secure as IRSA, as we have secrets being stored there (and, FWIW, In our context, we still consider a valid approach even for production). |
Update from recent testing: When we create the following manifest inside the vcluster, we get no errors and we get
However, if we then add an ExternalSecret with a reference to that cluster secret store, it won't synchronize, and I get the following error
Additionally:
@FabianKramm, would you have any suggestion on this? Thanks |
After some more digging, I found this info on external-secrets docs (https://external-secrets.io/latest/provider/aws-secrets-manager/#eks-service-account-credentials), where However, once we change the relevant definition to include a namespace, the ClusterSecretStore no longer gets
In either case, we get the following error message: |
We are facing the exact same issue with external-secrets and vcluster. What you are seeing though is expected since vcluster I believe that for |
Facing the same issue here with vCluster and This makes total sense because when we decode the JWT created by I've tried messing with the |
Is your feature request related to a problem?
In our setup, to facilitate AWS IRSA, we configured service accounts to be synced to the host cluster:
This works well when service accounts are mounted on pods. However when a service account token is requested in vcluster, for example:
Then the token is rejected as invalid by the AWS sdk:
I suspect it is because the token is issued by the vcluster and not the host cluster. Is there a way around this, how can we request a valid token?
Which solution do you suggest?
Vcluster should forward service account token requests to the host cluster when service account sync is enabled.
Which alternative solutions exist?
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: