Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Expand Permissions for external-secrets IRSA Policy towards AWS Secrets Manager #416

Merged

Conversation

aschaber1
Copy link
Contributor

Description

Initial set of permissions (#414) was not sufficient. Checked the source code of the secrets manager implementation of external-secrets and added remaining permissions.

Motivation and Context

There were errors on certain use cases, such as a secret changes and needs to be pushed again.

Breaking Changes

No

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request
  • our setup

@aschaber1 aschaber1 force-pushed the aws_secrets_manager_create branch from 9685300 to 3acd563 Compare August 24, 2023 09:09
@aschaber1 aschaber1 changed the title Expand Expand Permissions for external-secrets IRSA Policy towards AWS Secrets Manager Aug 24, 2023
@aschaber1
Copy link
Contributor Author

aschaber1 commented Aug 24, 2023

Some kubectl describe Output:

set secret failed: could not write remote ref password to target secretstore secretsmanager: AccessDeniedException: User: <stripped> is not authorized to perform: secretsmanager:TagResource on resource: my-first-parameter because no identity-based policy allows the secretsmanager:TagResource action

Some Logs:

{
  "level": "error",
  "ts": 1692864427.05778,
  "msg": "Reconciler error",
  "controller": "pushsecret",
  "controllerGroup": "external-secrets.io",
  "controllerKind": "PushSecret",
  "PushSecret": {
    "name": "<stripped>",
    "namespace": "<stripped>"
  },
  "namespace": "<stripped>",
  "name": "<stripped>",
  "reconcileID": "<stripped>",
  "error": "could not write remote ref password to target secretstore secretsmanager: AccessDeniedException: User: <stripped> is not authorized to perform: secretsmanager:PutSecretValue on resource: <stripped> because no identity-based policy allows the secretsmanager:PutSecretValue action\n\tstatus code: 400, request id: <stripped>",
  "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/internal/controller/controller.go:226"
}

@aschaber1 aschaber1 changed the title Expand Permissions for external-secrets IRSA Policy towards AWS Secrets Manager fix: Expand Permissions for external-secrets IRSA Policy towards AWS Secrets Manager Aug 24, 2023
@aschaber1
Copy link
Contributor Author

I also managed to update the documentation at external-secrets/external-secrets#2653

@bryantbiggs bryantbiggs merged commit fa74a18 into terraform-aws-modules:master Aug 30, 2023
antonbabenko pushed a commit that referenced this pull request Aug 30, 2023
### [5.29.2](v5.29.1...v5.29.2) (2023-08-30)

### Bug Fixes

* Expand Permissions for external-secrets IRSA Policy towards AWS Secrets Manager ([#416](#416)) ([fa74a18](fa74a18))
@antonbabenko
Copy link
Member

This PR is included in version 5.29.2 🎉

@aschaber1 aschaber1 deleted the aws_secrets_manager_create branch August 31, 2023 14:14
@github-actions
Copy link

github-actions bot commented Oct 1, 2023

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants