aws-secret-operator icon indicating copy to clipboard operation
aws-secret-operator copied to clipboard

Published 20 hours ago verified publisher icon mumoshu

How to inject credentials?

Open loffelmacher opened this issue 5 years ago • 6 comments

When starting this up for the first time I receive an error "Reconciler error" and "failed to compute secret for cr: failed to get json secret as map: NoCredentialProviders: no valid providers in chain."

Would be helpful to have some instructions on how to get credentials in there when needed.

loffelmacher avatar May 14 '19 18:05 loffelmacher

Maybe just link to this doc in the README: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials

maxbrunet avatar Jun 11 '19 14:06 maxbrunet

Thansk! Yeah, just give AWS credentials to the pod in your preffered way. AWS_PROFILE, AWS_ACCCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, kiam, kube2iam, kube-aws-iam-controller or whatever...

mumoshu avatar Jul 01 '19 00:07 mumoshu

I also think this should be explicited in the README. Also, this is quite paradoxal to me that to use a service manager tool, I have to use secrets credentials that can't be managed by such tool. How can I safely store my AWS credentials then.

leandregagnonlewis avatar Apr 03 '23 17:04 leandregagnonlewis

So store the AWS credentials in Kubernetes secrets, and then those can be injected into the environment of the operator, no?

apatrida avatar May 18 '23 15:05 apatrida

@leandregagnonlewis Hey! Ultimately, I think it's all about reducing the number of secrets you have to manage in other ways.

@apatrida There are various options depending on your requirement:

  • Give your EC2 instance access to SecretsManager via Instance Profile and deploy aws-secret-operator with hostNetwork.
  • Set up IAM OIDC using Terraform and configure IAM Role for Pod via serviceaccount and pod specs.
  • And yeah, as you said, store the AWS creds for aws-secret-operator in K8s secrets. Note that you can still "safely" manage K8s secrets using tools like helmfile(+vals), or sealed-secrets.

Let's say you are a platform team and there are other developers that use K8s. You might use Helmfile to deploy aws-secret-opreator along with the creds, and other developers might use whatever tools they want (helm, kustomize, kubectl, etc) that supports creating arbitrary custom resources like AWSSecret. Devs can easily and safely refer to secrets stored in AWS Secrets Manager regardless of which tool they use, without any additional tool required.

mumoshu avatar May 18 '23 23:05 mumoshu

@mumoshu we are not in EKS, but on-prem K8s, so we have to inject the environment variables into this operator so that it has the secrets to call out to AWS remotely.

apatrida avatar May 24 '23 14:05 apatrida