Vault secretstore: AWS IAM (IRSA) authentication

[sbaier1]

Is your feature request related to a problem? Please describe. I'd like to use this controller to provision secrets from

• SecretsManager using IRSA
• Vault in another K8s cluster that also uses IAM roles for authentication -> IRSA both secrets manager and vault require the same IAM role, so a simple service account token would work in this case.

I suppose it should work to use the token within the service account secret with tokenSecretRef in the vault SecretStore, however i haven't been able to get this to work and it's quite inconvenient because the secret name isn't easily template-able.

Describe the solution you'd like Allow the vault SecretStore type to use IAM authentication similar to vault agent.

Describe alternatives you've considered Not sure what other sensible alternatives there are. maybe simply referencing a serviceaccount directly and have the controller pull the token from the associated secret? Not sure if this even makes RBAC-wise.

Additional context

/kind feature

[mcavoyk]

Just to clarify this is for vault secret backend but with AWS authentication?

If so that is for something we are interested in. In terms of IRSA, we should be able to support either a secretSelector or serviceAcccountSelector, or using the serviceAccount of the controller pod.

In terms of implementation looks like there is an example in vault cli and API docs

[sbaier1]

Just to clarify this is for vault secret backend but with AWS authentication?

yes, exactly. Judging from the CRD specification, SecretsManager + IRSA should be supported already, right? haven't gotten around to testing it with this operator yet (only used the "original" node.js based secrets manager before)

i have also looked at the vault agent/CLI code and api docs but unfortunately i'm not that proficient at Go yet so i haven't really tried implementing it myself so far.

(did figure out it cannot really work with the current auth mechanisms as far as i can tell)