Access to Secrets Manager from pod in EKS
Hi,
I'm trying to access to secrets in Secrets Manager from a pod deployed in EKS cluster. This cluster was created with eksctl command.
- I attached a iam policy with grants to iam role attached to EC2 nodes:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:eu-west-1:[masked]:*"
},
{
"Effect": "Allow",
"Action": "secretsmanager:ListSecrets",
"Resource": "*"
}
]
}
- This iam role was created by eksctl command, and I see that it has this trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
When I try from awscli, to retrieve a secret from a running pod in EKS cluster, I have this error:
# aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:eu-west-1:[masked]
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::[masked] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[masked]
awscli has configured in config file:
[default]
region = eu-west-1
output = json
role_arn = arn:aws:iam::[masked]
credential_source = Ec2InstanceMetadata
What's wrong?
Kind regards
I think the issue is you're trying to have your pods access the nodes IAM role. Unless the AWS resource access requirements are uniform throughout your pods, you may be better off leveraging the service account you apply at a pod level.
In order to fix this; you should try to have the IAM role being assumed be the IAM role for service accounts. This documentation should help: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
Alternatively, you may want to look at the secrets manager integration for EKS: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html
Relevant questions
AWS Batch on Fargate: AccessDenied trying to access secrets manager
asked 9 months agoHow do I retrieve my secrets from secret manager in a pipeline build?
asked 17 days agoCannot access Secrets Manager from Lightsail
asked 25 days agoSecrets Manager Error Message
asked 12 days agoAWS Secrets Manager with boto3 in python
Accepted Answerasked 4 months agoSecrets Manager rotation intermittent timeout
asked 2 months agoDo we need Lambda extensions for accessing AWS Secrets Manager ?
asked 25 days agoAccess to Secrets Manager from pod in EKS
asked 3 months agoAccess secrets from secrets manager into the code the running EC2 docker
asked a month agoAccess Control in Secrets Manager for Federated Users
asked 4 months ago
My pleasure, J Garcia! Can you please mark the question as "Answered" so other users can benefit from our exchange?