How can I pass AWS_SESSION_TOKEN to logical backup cron job

[laukaichung]

• Which image of the operator are you using? registry.opensource.zalan.do/acid/postgres-operator:v1.6.2
• Where do you run it - cloud or metal? Kubernetes or OpenShift? Bare Metal K8s
• Are you running Postgres Operator in production? No
• Type of issue? question

I use bank vaults to inject secrets into the config of postgres-operator.

I can pass AWS STS AssumeRole temporary credentials from bank vaults to the config of postgres-operator. but the problem is that the logical backup pods do not seem to support AWS_SESSION_TOKEN env var which must be included in order to upload data to a bucket.

I don't think it provides logical_backup_s3_session_token in the configmap. Is there any way to get around this problem?

Here's a configMap layered over the original using Kustomize. I'd like to see an option like logical_backup_s3_session_token.

---

apiVersion: v1
kind: ConfigMap
metadata:
  name: postgres-operator
  annotations:
    vault.security.banzaicloud.io/vault-addr: "https://vault:8200"
    vault.security.banzaicloud.io/vault-skip-verify: "true"
    vault.security.banzaicloud.io/inline-mutation: "true"
    vault.security.banzaicloud.io/vault-role: "default"

data:
  logical_backup_s3_access_key_id: vault:aws/sts/data-backup-user#access_key
  logical_backup_s3_secret_access_key: vault:aws/sts/data-backup-user#secret_key
  #logical_backup_s3_session_token: vault:aws/sts/data-backup-user#security_token
  logical_backup_s3_bucket: some-bucket
  logical_backup_s3_region: us-east-1
  logical_backup_schedule: "45 * * * *"

[FxKu]

This should be possible by specifying a logical_backup_cronjob_environment_secret, see #2352 (will be included in 1.11.0 release)