Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Required AWS endpoint configuration does not work with STS/IRSA #495

Open
derSascha opened this issue Dec 17, 2024 · 1 comment · May be fixed by #496
Open

Required AWS endpoint configuration does not work with STS/IRSA #495

derSascha opened this issue Dec 17, 2024 · 1 comment · May be fixed by #496
Assignees

Comments

@derSascha
Copy link

Bug description

The AWS secrets-manager keystore requires an endpoint configuration, and fails if not provided:

keystore:
     aws:
       secretsmanager:
         endpoint: secretsmanager.us-east-2.amazonaws.com  # Use the SecretsManager in your region.
         region:   us-east-2                               # Use your region
         kmskey:   ""                                      # Your AWS-KMS master key (CMK) - optional.
         credentials:
           accesskey: "" # Your AWS Access Key
           secretkey: "" # Your AWS Secret Key

The example use secretsmanager.us-east-2.amazonaws.com as endpoint. The implementation use this endpoint to configuration a session client, that overwrites the endpoints of all services in the SDK:

session, err := session.NewSessionWithOptions(session.Options{
Config: aws.Config{
Endpoint: aws.String(config.Addr),
Region: aws.String(config.Region),
Credentials: credentials,
},
SharedConfigState: session.SharedConfigDisable,
})

This works if e.g. the access and secret key was provided, and we only need to contact the secrets-manager.

In case the config does not contain the secrets, the SDK use the environment, and might need to contact the STS service to fetch a token. This does not work anymore with the secrets-manager endpoint configured in the shared session.

Discovered this bug while setting up IRSA on EKS (see here). The client makes a sts/AssumeRoleWithWebIdentity request, but this fails with 404 on the secrets-manager endpoint. After removing the endpoint option, the SDK makes a request to sts.us-east-1.amazonaws.com and everything works.

Expected behavior

The endpoint config option should be optional, or set on the secrets-manager client instead:

client: secretsmanager.New(session),

Additional context

Maybe the region option should be optional too. A container running on EKS with IRSA has the following environment variables:

AWS_STS_REGIONAL_ENDPOINTS:    regional
AWS_DEFAULT_REGION:            us-east-1
AWS_REGION:                    us-east-1
AWS_ROLE_ARN:                  arn:aws:iam::...                                  
AWS_WEB_IDENTITY_TOKEN_FILE:   /var/run/secrets/eks.amazonaws.com/serviceaccount/token
@derSascha
Copy link
Author

@aead any change to look into this? The fix in the pull-request is rather small. It's more or less impossible to run KES on AWS EKS securely without the changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants