Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Required AWS endpoint configuration does not work with STS/IRSA #495

Open
derSascha opened this issue Dec 17, 2024 · 0 comments · May be fixed by #496
Open

Required AWS endpoint configuration does not work with STS/IRSA #495

derSascha opened this issue Dec 17, 2024 · 0 comments · May be fixed by #496
Assignees
@aead

Comments

@derSascha
Copy link

Bug description

The AWS secrets-manager keystore requires an endpoint configuration, and fails if not provided:

keystore:
     aws:
       secretsmanager:
         endpoint: secretsmanager.us-east-2.amazonaws.com  # Use the SecretsManager in your region.
         region:   us-east-2                               # Use your region
         kmskey:   ""                                      # Your AWS-KMS master key (CMK) - optional.
         credentials:
           accesskey: "" # Your AWS Access Key
           secretkey: "" # Your AWS Secret Key

The example use secretsmanager.us-east-2.amazonaws.com as endpoint. The implementation use this endpoint to configuration a session client, that overwrites the endpoints of all services in the SDK:

kes/internal/keystore/aws/secrets-manager.go

Lines 77 to 84 in 2e4e7be

session, err := session.NewSessionWithOptions(session.Options{
Config: aws.Config{
Endpoint: aws.String(config.Addr),
Region: aws.String(config.Region),
Credentials: credentials,
},
SharedConfigState: session.SharedConfigDisable,
})

This works if e.g. the access and secret key was provided, and we only need to contact the secrets-manager.

In case the config does not contain the secrets, the SDK use the environment, and might need to contact the STS service to fetch a token. This does not work anymore with the secrets-manager endpoint configured in the shared session.

Discovered this bug while setting up IRSA on EKS (see here). The client makes a sts/AssumeRoleWithWebIdentity request, but this fails with 404 on the secrets-manager endpoint. After removing the endpoint option, the SDK makes a request to sts.us-east-1.amazonaws.com and everything works.

Expected behavior

The endpoint config option should be optional, or set on the secrets-manager client instead:

kes/internal/keystore/aws/secrets-manager.go

Line 91 in 2e4e7be

client: secretsmanager.New(session),

Additional context

Maybe the region option should be optional too. A container running on EKS with IRSA has the following environment variables:

AWS_STS_REGIONAL_ENDPOINTS:    regional
AWS_DEFAULT_REGION:            us-east-1
AWS_REGION:                    us-east-1
AWS_ROLE_ARN:                  arn:aws:iam::...                                  
AWS_WEB_IDENTITY_TOKEN_FILE:   /var/run/secrets/eks.amazonaws.com/serviceaccount/token
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aead aead

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make endpoint config optional in AWS secrets-manager keystore config derSascha/kes
2 participants
@derSascha @aead