[EKS-IAM Roles for Service Accounts] Possible to Assume Role?

[GuillaumeKG]

Hello,

Some context information:

• I've deployed the Agent Sidecar Injector inside an EKS cluster targeting an external VAULT server. This part works.
• My pod has a service account which is mapped to an IAM role (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
• This IAM role is binded to a VAULT role to have access to secret in the Vault
  Extract of the script:

  vault write auth/aws/role/$ROLE auth_type=iam bound_iam_principal_arn="$IAM_ROLE_ARN"
  ...
  vault write identity/entity-alias name="$BOUND_IAM_PRINCIPAL_ID" canonical_id=$ENTITY_ID mount_accessor=$ACCESSOR
  

Then:

• When I assume this role and try to access to secret via vault kv cli it works.
• When the agent try to connect to the Vault it receives the following error message:

  [ERROR] auth.handler: error authenticating: error="Error making API request.
  URL: PUT https://vault.hml.services.aws/v1/auth/kubernetes/login
  Code: 400. Errors:
  * missing client token" backoff=1.971367171
  

When I use the CLI, I retrieve manually the token with:

export VAULT_TOKEN=`vault login -method=aws -token-only role=sdo_spy-test_rw_iam`

So I suppose, the issue comes from the method aws which is not used by the injector by default I guess.
Is there a setting to change the way the token is retrieved? Or do I need to provide the token manually?

Thanks for your help

Guillaume

[GuillaumeKG]

Hi,
after re-checking the docs, can I achieve my goal using configuration via configmap? As below:

  config.hcl: |
    "auto_auth" = {
      "method" = {
        "config" = {
          "role" = "db-app"
        }
        "type" = "kubernetes"
      }

And replace kubernetes by aws?

I didn't find the doc with all possible fields and values. But I'll try this solution waiting for a feedback.
Do you know if there are more info how to setup this configmap (possible fields, mandatory fields...)

Edit: I saw the issue 75, the url called seems the right one.

[GuillaumeKG]

Quick update, using the configmap way of configuration works with:

    "auto_auth" = {
      "method" = {
        "config" = {
          "type" = "iam"
          "role" = "my-vault-role"
        }
        "type" = "aws"
      }

So good, but it uses the ec2 instance role for authentication.

In my use case, I want to use the AWS feature (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) allowing to map a K8S service account to an IAM role.

The correspondent token is mounted under:
/var/run/secrets/eks.amazonaws.com/serviceaccount/token

Different location from classical service token:
/var/run/secrets/kubernetes.io/serviceaccount/token

Is there a way to request init-container and sidecar to use this token for the iam authentication?

By mounting it as AWS_SESSION_TOKEN environment variable for instance?

To do so, we'll need to have a setting to mount the additional AWS volume aws-iam-token to the init-container and sidecar :

Volumes:
  aws-iam-token:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  86400

Thanks.

[GuillaumeKG]

After investigation, I guess I could use the field auto_auth.method.config.token_path to specify the path to the assumed token.
But a way to mount a new volume (var/run/secrets/eks.amazonaws.com/serviceaccount/token) is still missing.

Waiting for a possible enhancements, I switched to kubenetes auth method.

[tvoran]

This has been addressed by #169 in vault-k8s 0.10.0. For example, annotations like this will utilize IRSA creds to assume the AWS role and authenticate to vault's aws auth method:

  annotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "dev-role-iam"
    # AWS auth method config
    vault.hashicorp.com/auth-type: "aws"
    vault.hashicorp.com/auth-path: "auth/aws"
    vault.hashicorp.com/auth-config-type: "iam"
    # secret injection template
    vault.hashicorp.com/agent-inject-secret-database-config.txt: "internal/data/database/config"
    vault.hashicorp.com/agent-inject-template-database-config.txt: |
      {{- with secret "internal/data/database/config" -}}
      postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@postgres:5432/wizard
      {{- end -}}

Closing for now.