Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error while creating an AWS Secrets Manager secret #82

Open
jonatasbaldin opened this issue Nov 11, 2020 · 2 comments
Open

Error while creating an AWS Secrets Manager secret #82

jonatasbaldin opened this issue Nov 11, 2020 · 2 comments

Comments

@jonatasbaldin
Copy link

Hi there!

Describe the bug:
Not able to create an AWS Secrets Manager secret, got the error:

2020-11-11T12:27:47.7662466Z E1111 12:27:47.765945       1 controller.go:117] controllers/ExternalSecret "msg"="error while reconciling ExternalSecret" "error"="cannot get ExternalSecret data from store: name \"mySecret\": error getting secret value: unknown endpoint, could not resolve endpoint, partition: \"all partitions\", service: \"secretsmanager\", region: \"eu-central-1\"" "externalsecret"={"Namespace":"default","Name":"test-one"}

The following resources were created:

apiVersion: secret-manager.itscontained.io/v1alpha1
kind: SecretStore
metadata:
  name: aws-secret-store
spec:
  aws:
    authSecretRef:
      accessKeyID:
        key: access-key
        name: aws-key
      secretAccessKey:
        key: secret-key
        name: aws-key
apiVersion: secret-manager.itscontained.io/v1alpha1
kind: ExternalSecret
metadata:
  name: test-one
spec:
  data:
  - remoteRef:
      name: mySecret
      property: key1
    secretKey: key1
  storeRef:
    name: aws-secret-store

The Secret used to authenticate on AWS is as follows:

apiVersion: v1
kind: Secret
metadata:
  name: aws-key
data:
  access-key: <redacted>
  secret-key: <redacted>
type: Opaque

The AWS Secrets Manager has the following secret:

$ aws secretsmanager get-secret-value --secret-id mySecret --region eu-central-1

{
    "ARN": "redacted",
    "Name": "mySecret",
    "VersionId": "35645498-8b3a-42bb-9e81-075807822659",
    "SecretString": "{\"key1\":\"value1\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": "2020-11-10T14:35:03.762000+01:00"
}

I'm also used the Administrator user in the AWS authentication to eliminate any possible permission errors.

Expected behavior
Generate a new Secret with the information from AWS Secrets Manager.

Steps to reproduce the bug:

  • Install secret-manager via Helm
  • Create the resources above and watch the controller logs

Environment details::

  • Kubernetes version (e.g. v1.18.9): v1.17.0 (Kind)
  • Secret-Manager version (e.g. v0.2.0): v0.3.0
  • SecretStore type(e.g. Vault vs AWS SecretManager): AWS Secret Manager
  • Install method (e.g. helm or static manifests): Listed above

/kind bug
@sbaier1
Copy link

sbaier1 commented Nov 13, 2020
edited
Loading

seeing the same issue with IRSA's ambient environment variables. have tried explicitly setting the region as well but it's not working. Interesting that it also happens with explicit access & secret key.

i am assuming it's a problem in the EndpointResolver(?)

(same region by the way)

@sbaier1
Copy link

sbaier1 commented Nov 16, 2020
edited
Loading

FWIW overriding the endpoint in the env variable works as a workaround (though of course it isn't perfect and the root cause has to be figured out here)

I just set this in the Helm chart

extraEnv:
  - name: AWS_SECRETSMANAGER_ENDPOINT
    value: https://secretsmanager.eu-central-1.amazonaws.com

It still seems like the AWS sdk is having trouble resolving the endpoint based on the region for some reason.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jonatasbaldin @sbaier1