Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TriggerAuthentication : AWS Secret Manager is not working with awsSecretManager.podIdentity #5899

Open
Tejasvihuded opened this issue Jun 19, 2024 · 1 comment
Open

TriggerAuthentication : AWS Secret Manager is not working with awsSecretManager.podIdentity #5899

Tejasvihuded opened this issue Jun 19, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@Tejasvihuded
Copy link

Tejasvihuded commented Jun 19, 2024
edited
Loading

Report

TriggerAuthentication AWS Secret Manager podIdentity is not working.

  • KEDA is not using ROLE provided in awsSecretManager.podIdentity.roleArn .

  • Even tried with awsSecretManager.identityOwner.workload ,but still KEDA is not using ROLE NAME provided in workload Service account annotation.

Even though awsSecretManager.podIdentity.roleArn is set, KEDA is still using IAM role which the KEDA operator uses

Expected Behavior

Expected Behavior is when ,

  • awsSecretManager.podIdentity.roleArn is set ,KEDA should use that role to make call to AWS secret manager to get secret value
  • OR when awsSecretManager.podIdentity.identityOwner is set to workload then KEDA should use role name used in service account associated with workload pod to make call to AWS secret manager to get secret value

Actual Behavior

Even though awsSecretManager.podIdentity.roleArn is set, KEDA is still using IAM role which the KEDA operator uses to get secret vale from AWS secret manager.
Same behavior is observed even when we set awsSecretManager.podIdentity.identityOwner to workload

Steps to Reproduce the Problem

1.Create TriggerAuthentication with AWS Secret Manager as Authentication provider, sample below. The role in "roleArn" is in different AWS account and TriggerAuthentication is in different AWS EKS cluster

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: sample-test-auth
spec:
  awsSecretManager:
    podIdentity:                                                          
      provider: aws                                                       
      roleArn: arn:aws:iam::awsaccountid:role/TargetRoleName
    region: us-east-2                                                 
    secrets:                                                              
    - parameter: userName
      name: postgre-username
    - parameter: password
      name: postgre-password

2.Create ScaledObject, sample below

apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: keda-postgre
spec:
  scaleTargetRef:
    name: app1
  triggers:
  -type: "postgresql"
    metadata:
      host: host
      port: port
      dbName: dbname
      sslmode: disable
      query: "query removed"
      targetQueryValue: "1"
    authenticationRef:
      name: sample-test-auth

3.Create sample deploy with name "app1" ,this is the target for scaledobject

Logs from KEDA operator

2024-06-18T10:30:53Z    ERROR   scale_handler   Error getting credentials       {"type": "ScaledObject", "namespace": "<removed>", "name": "keda-postgre", "error": "operation error Secrets Manager: GetSecretValue, https response error StatusCode: 400, RequestID: <removed>, api error AccessDeniedException: User: arn:aws:sts::<eks aws accountid removed>:assumed-role/keda-operator-role/<id removed> is not authorized to perform: secretsmanager:GetSecretValue on resource: postgre-username because no identity-based policy allows the secretsmanager:GetSecretValue action"}
github.com/kedacore/keda/v2/pkg/scaling/resolver.(*AwsSecretManagerHandler).Read
        /workspace/pkg/scaling/resolver/aws_secretmanager_handler.go:60
github.com/kedacore/keda/v2/pkg/scaling/resolver.resolveAuthRef
        /workspace/pkg/scaling/resolver/scale_resolvers.go:344
github.com/kedacore/keda/v2/pkg/scaling/resolver.ResolveAuthRefAndPodIdentity
        /workspace/pkg/scaling/resolver/scale_resolvers.go:183
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).buildScalers.func1
        /workspace/pkg/scaling/scalers_builder.go:72
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).buildScalers
        /workspace/pkg/scaling/scalers_builder.go:96
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).performGetScalersCache
        /workspace/pkg/scaling/scale_handler.go:357
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).GetScalersCache
        /workspace/pkg/scaling/scale_handler.go:282
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).getScaledObjectMetricSpecs
        /workspace/controllers/keda/hpa.go:217
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).newHPAForScaledObject
        /workspace/controllers/keda/hpa.go:72
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).createAndDeployNewHPA
        /workspace/controllers/keda/hpa.go:45
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).ensureHPAForScaledObjectExists
        /workspace/controllers/keda/scaledobject_controller.go:441
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).reconcileScaledObject
        /workspace/controllers/keda/scaledobject_controller.go:280
github.com/kedacore/keda/v2/controllers/keda.(*ScaledObjectReconciler).Reconcile
        /workspace/controllers/keda/scaledobject_controller.go:191
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
        /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:119
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
        /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:316
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:266
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
        /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:227

KEDA Version

2.13.0

Kubernetes Version

1.28

Platform

Amazon Web Services

Scaler Details

postgresql

Anything else?

Below 2 are running in one AWS EKS cluster Account

  • KEDA operator is running in its own namespace
  • TriggerAuthentication,ScaledObject and target Deployment is running in different namespace

AWS secret manger holding secrets is in different AWS account

I am trying cross account same region integration between KEDA and AWS secret manager
@Tejasvihuded Tejasvihuded added the bug Something isn't working label Jun 19, 2024
@OS-vindhyag
Copy link

OS-vindhyag commented Jul 1, 2024
edited
Loading

I am facing the same issue. I am setting roleArn but it is trying to authenticate using sts assumed role . I am using same account same region but no luck. I tried all the above combinations mentioned aabove

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Tejasvihuded @OS-vindhyag