Skip to content

ExternalDNS generated policy lacks ECR authToken generator permissions #514

New issue
New issue
Closed as not planned
Closed as not planned
ExternalDNS generated policy lacks ECR authToken generator permissions#514
@loicvolle

Description

@loicvolle
loicvolle
opened on Sep 5, 2024

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

  • No 🛑: please wait to file a request until the functionality is avaialble in the AWS provider
  • Yes ✅: please list the AWS provider version which introduced this functionality

Is your request related to a problem? Please describe.

We are using External Secrets Generator for ECR. The goal is to have external Secret generating a secret with an ECR token, in order to use ArgoCD and helm charts stored on ECR.

We use :

module "eks_role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  version = "~> 5.41"

  attach_external_secrets_policy = true

  role_name = "${var.eks_cluster_name}_${var.k8s_namespace}"
  role_path = "/"


  allow_self_assume_role = true

  oidc_providers = {
    eks = {
      provider_arn               = data.aws_iam_openid_connect_provider.eks_provider.arn
      namespace_service_accounts = ["${var.k8s_namespace}:${var.k8s_namespace}-sa"]
    }
  }
  tags = var.aws_tags
}

The policy lacks some ECR permissions which should be

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "*"
        }
    ]
}

Yaml used to use the feature :

---
apiVersion: v1
kind: Secret
metadata:
  name: ecr-eu-central-1-secret
  namespace: argocd
stringData:
  AWS_USERNAME: AWS
  AWS_PASSWORD: TOTO
---
apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
metadata:
  name: ecr-eu-central-1
  namespace: argocd
spec:
  region: eu-central-1
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ecr-auth-token-external-secret
  namespace: argocd
spec:
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: ECRAuthorizationToken
        name: ecr-eu-central-1
  refreshInterval: 30m
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: ecr-eu-central-1-secret
    template:
      data:
        AWS_PASSWORD: '{{ .password }}'
        AWS_USERNAME: '{{ .username }}'
      engineVersion: v2
      metadata:
        labels:
          argocd.argoproj.io/secret-type: repo-creds

Describe the solution you'd like.

Have the policy used when the parameter attach_external_secrets_policy is set to true

Describe alternatives you've considered.

Adding a custom policy or add AWSAppRunnerServicePolicyForECRAccess AWS Managed policy through a new parameter external_secrets_use_ecr_auth_token

Additional context

Documentation to ECR generator.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions