aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard

Published 20 hours ago verified publisher icon aws

aws-cdk-lib: Secrets for service account not getting created

Open brizaldi opened this issue 1 year ago • 2 comments

Describe the issue

Our cluster was using Kubernetes version 1.22. However, after upgrading to the latest version (1.29), we noticed a change in the process of creating service accounts in AWS CDK.

Previously, when we created a service account like this cluster.addServiceAccount(...), the secret token would be generated automatically, but it seems that this is no longer the case in the latest version.

Does CDK have a way to handle this, or do we need to create the secret manually?

More context: https://github.com/kubernetes/kubernetes/pull/108309

Links

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.Cluster.html#addwbrservicewbraccountid-options

brizaldi avatar May 10 '24 03:05 brizaldi

Can you explain a little bit more about what secret token are you expecting?

addServiceAccount() essentially creates a new ServiceAccount construct and I didn't see any secret token to be created.

And, what is the CDK version you are using for 1.22?

pahud avatar May 10 '24 12:05 pahud

We're currently using aws-cdk version 2.135.0.

Basically on pre 1.24 kubernetes, when you create a service account they will create these two resources, a service account and a secret will be automatically created, but after 1.24 they only create a service account without the secret.

cdk command:

const serviceAccount = cluster.addServiceAccount("my-service-account", {
    name: "my-service-account",
    namespace: "my-namespace"
})

service account

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/my-role
  labels:
    app.kubernetes.io/name: my-service-account
  name: my-service-account
  namespace: my-namespace
  resourceVersion: "890732087"
  uid: bfc00afd-024b-4ac5-92ab-be7c90c25312
secrets:
- name: my-service-account-token-k2l6z

secret

apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZ...
  namespace: bXktbmFtZXNwYWNl
  token: ZXlKaGJHY2lPa...
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: my-service-account
    kubernetes.io/service-account.uid: bfc00afd-024b-4ac5-92ab-be7c90c25312
  name: my-service-account-token-k2l6z
  namespace: my-namespace
  resourceVersion: "890732086"
  uid: 7ec2efab-29b9-4062-bc98-06d64fbd0e74
type: kubernetes.io/service-account-token

brizaldi avatar May 11 '24 04:05 brizaldi

Closed. Ends up creating the secret token manually using KubernetesManifest construct.

brizaldi avatar May 18 '24 08:05 brizaldi

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar May 18 '24 08:05 github-actions[bot]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

aws-cdk-automation avatar Jul 25 '24 21:07 aws-cdk-automation