AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Access to Secrets Manager from pod in EKS

0

Hi,

I'm trying to access to secrets in Secrets Manager from a pod deployed in EKS cluster. This cluster was created with eksctl command.

  • I attached a iam policy with grants to iam role attached to EC2 nodes:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": "arn:aws:secretsmanager:eu-west-1:[masked]:*"
        },
        {
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        }
    ]
}
  • This iam role was created by eksctl command, and I see that it has this trust relationship:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

When I try from awscli, to retrieve a secret from a running pod in EKS cluster, I have this error:

# aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:eu-west-1:[masked]

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::[masked] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[masked]

awscli has configured in config file:

[default]
region = eu-west-1
output = json
role_arn = arn:aws:iam::[masked]
credential_source = Ec2InstanceMetadata

What's wrong?

Kind regards

トピック
セキュリティ、アイデンティティ、コンプライアンスコンテナ
タグ
AWS Identity and Access ManagementAmazon Elastic Kubernetes Service
言語
English
J Garcia
質問済み 2年前2022ビュー
2回答
1

I think the issue is you're trying to have your pods access the nodes IAM role. Unless the AWS resource access requirements are uniform throughout your pods, you may be better off leveraging the service account you apply at a pod level.

In order to fix this; you should try to have the IAM role being assumed be the IAM role for service accounts. This documentation should help: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

Alternatively, you may want to look at the secrets manager integration for EKS: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html

AWS
Chris Pollard
回答済み 2年前
0

Thank you very much Chris, these aproach are fine for me.

J Garcia
回答済み 2年前
  • Chris Pollard
    2年前

    My pleasure, J Garcia! Can you please mark the question as "Answered" so other users can benefit from our exchange?

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ