Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Secrets Store CSI Driver failing with Pod Identity on EKS Auto Mode

0

Describe the bug

Secrets Store CSI Driver fails to retrieve secrets from AWS Secrets Manager when using EKS Pod Identity on EKS Auto Mode nodes. The driver is unable to obtain AWS credentials, causing the GetSecretValue API call to fail after exhausting all retry attempts.

Logs from Pod -

MountVolume.SetUp failed for volume "csi" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod <pod_name>, err: rpc error: code = Unknown desc = Failed to fetch secret from all regions. Verify secret exists and required permissions are granted for: <secretName>

Logs from aws driver for secrets -

operation error Secrets Manager: GetSecretValue, exceeded maximum number of attempts, 3,
get identity: get credentials: failed to refresh cached credentials,
failed to load credentials, exceeded maximum number of attempts, 3, : []

Provider class -

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  labels:
    argocd.argoproj.io/instance: secrets-provider-class-<namespace>
  name: aws-secrets-provider-class
  namespace: <>
spec:
  parameters:
    objects: |
      - objectName: "<secretName>"
        objectType: "secretsmanager"
        objectAlias: "<secretAlias>"
    region: us-west-2
    usePodIdentity: 'true'
  provider: aws

AWS Secrets CSI Driver being used is from AWS EKS Add on with version - v3.0.0-eksbuild.1 AWS EKS Version - 1.3.4

Topics
Security, Identity, & ComplianceContainers
Tags
AWS Secrets ManagerAmazon EKS Auto ModeAmazon Elastic Kubernetes Service
Language
English
asked 17 days ago84 views
2 Answers
3

Since the issue only occurs with new pods while existing ones work, your IAM Trust Policy and permissions are likely correct. This behavior typically points to a race condition or dependency delay on newly provisioned Auto Mode nodes:

  • Pod Identity Agent Readiness: In EKS Auto Mode, the eks-pod-identity-agent must be fully operational on a new node before the CSI driver can retrieve credentials. If your application pod is scheduled and attempts to mount the secret before the agent is ready, the credential refresh will fail.
  • DaemonSet Initialization: Verify that the csi-secrets-store-provider-aws and the CSI driver pods have reached a Running state on the new node before the application pod starts.
  • Recommendation: Check the logs of the eks-pod-identity-agent pod on the specific node where the failure occurred. If you see failed 404 or 500 attempts around the time of the pod's creation, consider implementing a startup delay or checking node initialization sequences to ensure the Identity Agent has priority.
EXPERT
answered 17 days ago
  • Tanmay
    17 days ago

    bash-5.2# curl -v
    -H "Authorization: $(cat /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token)"
    http://169.254.170.23/v1/credentials

    • Trying 169.254.170.23:80...
    • Established connection to 169.254.170.23 (169.254.170.23 port 80) from 10.0.18.83 port 53896
    • using HTTP/1.x

    GET /v1/credentials HTTP/1.1 Host: 169.254.170.23 User-Agent: curl/8.17.0 Accept: / Authorization: <REDACTED>

    < HTTP/1.1 500 Internal Server Error < Content-Type: text/plain; charset=utf-8 < X-Content-Type-Options: nosniff < Date: Fri, 01 May 2026 04:35:40 GMT < Content-Length: 3 < []

    • Connection #0 to host 169.254.170.23 left intact

    On debugging further, When I call this from inside the pod I get this error. Which is causing the failure I have verified permissions and it is correct. It was working earlier. It started breaking today on new pods on EKS and it also fails on existing nodes so it cannot be a race condition

1

Hello.

The EKS Pod Identity may not be functioning correctly, and the Secrets Store CSI Driver may not be able to retrieve the credentials.
You may need to verify that the IAM role is configured correctly for the service account and that there are no issues with the IAM role's trust policy.
https://docs.aws.amazon.com/eks/latest/userguide/pod-id-association.html

EXPERT
answered 17 days ago
EXPERT
reviewed 17 days ago
  • Tanmay
    17 days ago

    HI , I have verified permissions they are correct. It is working for existing pods but not for new pods

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content