-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACK RDS IRSA role requires access to alias/secretsmanager
KMS key or fails to create DB.
#45
Comments
Sorry I slightly updated the main comment to reduce additional context and simplify the additional IAM statement |
This issue has been automatically marked as stale because it has been open 30 days |
Remove stale please |
Simple solution for anyone looking to quickly mitigate this lack-of-permission situation: module "..." {
source = "aws-ia/eks-ack-addons/aws"
# [....]
# rds is missing KMS access https://github.com/aws-ia/terraform-aws-eks-ack-addons/issues/45
rds = {
role_policies = {
AmazonRDSFullAccess = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonRDSFullAccess"
SecretsManagerReadWrite = "arn:${data.aws_partition.current.partition}:iam::aws:policy/SecretsManagerReadWrite"
}
}
}
data "aws_partition" "current" {}
|
This issue has been automatically marked as stale because it has been open 30 days |
Issue closed due to inactivity. |
Description
When using the ACK Controller for RDS, I encountered a problem using the Secrets Manager feature of RDS.
In my circumstance, I was using a custom KMS key and gave, to the IRSA role, permission to create the secret,
access the KMS key and allow the associated grants as documented in AWS documentation.
However the controller still failed citing insufficient permissions on the KMS key.
Upon using CloudTrail I discovered the controller was still performing
kms:DescribeKey
on the default KMS key (alias/secretsmanager
), even though I had supplied a specific one for secret in the resource.Once I permitted
kms:DescribeKey
on the default KMS key for secrets manager, everything started working properly.I have three questions:
kms:DescribeKey
on the key supplied in the CRD?If so, where should I report this?
Versions
Steps to reproduce the behavior:
Expected behavior
CRD for dummy single instance small RDS:
Extra IAM policy added to IRSA role:
Expects to create DB and create a secret with the postgres randomly generated password.
Actual behavior
Fails with insufficient permissions for KMS key (KMS key ARN for custom secrets manager KMS key)
Additional context
Further examination in CloudTrail sees the a failure on
kms:DescribeKey
but for the default KMS key alias for secrets manager (alias/secretsmanager
)Modifying the policy to allow access (full or just
kms:DescribeKey
) to the default KMS key results in success, an example such statement is below:Note 1: I tried using
ResourceAliases
condition to limit thekms:DescribeKey
permission to just the default secretsmanager KMS key but that, surprisingly, didn't work.The text was updated successfully, but these errors were encountered: