![](/img/trans.png)
[英]AWS STS Assume Role - InvalidClientTokenId: The security token included in the request is invalid
[英]Kubernetes: external secrets operator error: InvalidClientTokenId: The security token included in the request is invalid
我正在通过以下方式尝试外部机密运算符(ESO):
https://github.com/external-secrets/external-secrets
https://external-secrets.io/guides-getting-started/
我正在使用 minikube 和 AWS 机密管理器来执行此操作(我也在 EC2 中托管的 k8s 集群中进行了尝试,但我得到了同样的错误)。
我按照上面链接中的步骤操作:
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets --set installCRDs=true
k create secret generic aws-credentials --from-literal=aws-access-key-id='xxx' --from-literal=aws-secret-access-key='xxx'
kind: SecretStore
metadata:
name: secretstore-sample
spec:
provider:
aws:
service: SecretsManager
role: arn:aws:iam::123456789012:role/somerole
region: us-east-1
auth:
secretRef:
accessKeyIDSecretRef:
name: aws-credentials
key: aws-access-key-id
secretAccessKeySecretRef:
name: aws-credentials
key: aws-secret-access-key
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1h
secretStoreRef:
name: secretstore-sample
kind: SecretStore
target:
name: secret-to-be-created
creationPolicy: Owner
data:
- secretKey: user-1-username
remoteRef:
key: test_user_1
property: username
- secretKey: user-1-password
remoteRef:
key: test_user_1
property: password
然后它说
externalsecret.external-secrets.io/example created
当我做
kubectl describe externalsecret.external-secrets.io/example
以下是我得到的,并且没有创建要创建的秘密:
...
Status:
Conditions:
Last Transition Time: 2021-06-09T22:45:10Z
Message: could not get secret data from provider: key "test_user_1" from ExternalSecret "example": InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: 5a544aa0-3953-4c0d-9dab-37bde10e328b
Reason: SecretSyncedError
Status: False
Type: Ready
Refresh Time: <nil>
Events: <none>
我知道这个角色可以访问 aws secrets manager(我已经运行 python 脚本来使用这个角色从我的笔记本电脑访问 aws secrets manager)。 但是,我对 k8s 的了解有限,所以,我感谢任何帮助。
我解决了这个问题。 它在 AWS 方面。 我需要创建一个新用户和一个新角色。 将新创建的角色放入 configmap 的role:部分,并允许用户通过为用户提供 aws 凭据作为 k8s 集群中的环境变量来担任该角色。
将此策略用于新创建的角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*",
]
}
]
}
下面作为角色的信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::..."
},
"Action": "sts:AssumeRole"
}
]
}
新创建用户的以下策略:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::...."
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.