You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The AWS secrets-manager keystore requires an endpoint configuration, and fails if not provided:
keystore:
aws:
secretsmanager:
endpoint: secretsmanager.us-east-2.amazonaws.com # Use the SecretsManager in your region.region: us-east-2 # Use your regionkmskey: ""# Your AWS-KMS master key (CMK) - optional.credentials:
accesskey: ""# Your AWS Access Keysecretkey: ""# Your AWS Secret Key
The example use secretsmanager.us-east-2.amazonaws.com as endpoint. The implementation use this endpoint to configuration a session client, that overwrites the endpoints of all services in the SDK:
This works if e.g. the access and secret key was provided, and we only need to contact the secrets-manager.
In case the config does not contain the secrets, the SDK use the environment, and might need to contact the STS service to fetch a token. This does not work anymore with the secrets-manager endpoint configured in the shared session.
Discovered this bug while setting up IRSA on EKS (see here). The client makes a sts/AssumeRoleWithWebIdentity request, but this fails with 404 on the secrets-manager endpoint. After removing the endpoint option, the SDK makes a request to sts.us-east-1.amazonaws.com and everything works.
Expected behavior
The endpoint config option should be optional, or set on the secrets-manager client instead:
@aead any change to look into this? The fix in the pull-request is rather small. It's more or less impossible to run KES on AWS EKS securely without the changes.
Bug description
The AWS secrets-manager keystore requires an
endpoint
configuration, and fails if not provided:The example use
secretsmanager.us-east-2.amazonaws.com
as endpoint. The implementation use this endpoint to configuration a session client, that overwrites the endpoints of all services in the SDK:kes/internal/keystore/aws/secrets-manager.go
Lines 77 to 84 in 2e4e7be
This works if e.g. the access and secret key was provided, and we only need to contact the secrets-manager.
In case the config does not contain the secrets, the SDK use the environment, and might need to contact the STS service to fetch a token. This does not work anymore with the secrets-manager endpoint configured in the shared session.
Discovered this bug while setting up IRSA on EKS (see here). The client makes a
sts/AssumeRoleWithWebIdentity
request, but this fails with 404 on the secrets-manager endpoint. After removing the endpoint option, the SDK makes a request tosts.us-east-1.amazonaws.com
and everything works.Expected behavior
The endpoint config option should be optional, or set on the secrets-manager client instead:
kes/internal/keystore/aws/secrets-manager.go
Line 91 in 2e4e7be
Additional context
Maybe the
region
option should be optional too. A container running on EKS with IRSA has the following environment variables:The text was updated successfully, but these errors were encountered: