Skip to content
This repository was archived by the owner on Mar 5, 2024. It is now read-only.

assume-role-arn should use auto-detect #271

Open
derrickburns opened this issue Jul 22, 2019 · 6 comments
Open

assume-role-arn should use auto-detect #271

derrickburns opened this issue Jul 22, 2019 · 6 comments

Comments

@derrickburns
Copy link
Contributor

The only place I need to provide my account info is to provide an assume-role-arn. Can you use the auto-detect feature that identifies the prefix to also provide the prefix for assume-role-arn?

One backward compatible way would be to detect if assume-role-arn is a complete arn or simply a role name. If the latter and the auto-detect feature is on, the create the complete arn from the auto-detected prefix and the role name.
@derrickburns derrickburns mentioned this issue Jul 22, 2019
Closed
@cyrus-mc
Copy link

This would be a great feature.

@derrickburns derrickburns mentioned this issue Jul 25, 2019
Merged
@josegonzalez
Copy link

Was this resolved by #276? As in, I can use either a RoleARN or a RoleName for the value in the annotation?

@paurosello
Copy link

We have just faced this issue in kiam:4.0

As you can see in the server logs, the ARN is autocompleted for the requested role by the pod (z2h2q-Route53Manager-Role) but it's not autocompleted for the role that the server has to assume (z2h2q-IAMManager-Role).

{"level":"error","msg":"error requesting credentials: AccessDenied: User: arn:aws:sts::999999999999:assumed-role/gs-cluster-z2h2q-role-tccpn/i-038e8e95d771c82ad is not authorized to perform: sts:AssumeRole on resource: z2h2q-IAMManager-Role\n\tstatus code: 403, request id: f5e0a631-c0cb-4a9c-beaa-580a24ef96ac","pod.iam.role":{"Name":"z2h2q-Route53Manager-Role","ARN":"arn:aws:iam::999999999999:role/z2h2q-Route53Manager-Role"},"pod.iam.roleArn":"arn:aws:iam::999999999999:role/z2h2q-Route53Manager-Role","time":"2021-01-12T16:40:19Z"}
{"generation.metadata":0,"level":"error","msg":"error warming credentials: AccessDenied: User: arn:aws:sts::999999999999:assumed-role/gs-cluster-z2h2q-role-tccpn/i-038e8e95d771c82ad is not authorized to perform: sts:AssumeRole on resource: z2h2q-IAMManager-Role\n\tstatus code: 403, request id: f5e0a631-c0cb-4a9c-beaa-580a24ef96ac","pod.iam.role":"z2h2q-Route53Manager-Role","pod.name":"external-dns-67ddc97ccd-drg9f","pod.namespace":"kube-system","pod.status.ip":"10.2.41.94","pod.status.phase":"Running","resource.version":"10056","time":"2021-01-12T16:40:19Z"}

This is our server parameters that we use for release 3.X and if we put the full ARN it works perfectly:

 containers:
     - args:
       - --json-log
       - --level=info
       - --bind=0.0.0.0:6443
       - --cert=/etc/kiam/tls/tls.crt
       - --key=/etc/kiam/tls/tls.key
       - --ca=/etc/kiam/tls/ca.crt
       - --role-base-arn-autodetect
       - --assume-role-arn=z2h2q-IAMManager-Role
       - --session-duration=15m
       - --sync=1m
       - --prometheus-listen-addr=0.0.0.0:9620
       - --prometheus-sync-interval=5s
       - --region=eu-west-1

Is this expected and we need to provide full ARN now or maybe we have something missconfigured in the the new release?

Thank you very much!

@njuettner
Copy link
Contributor

njuettner commented Jan 12, 2021
edited
Loading

Does the arnResolvernot also be added in the credentialsCache inside DefaultCache, https://github.com/uswitch/kiam/blob/v4.0/pkg/aws/sts/cache.go#L28? In v3.6 it has been added but now it's not used anymore but the field still exists, this seems wrong to me.

@njuettner
Copy link
Contributor

@pingles any idea on #271 (comment) ?

@njuettner
Copy link
Contributor

Opened a PR #459

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@josegonzalez @derrickburns @paurosello @njuettner @cyrus-mc