Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issuer with IRSA needs ambient credentials flag #701

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Issuer with IRSA needs ambient credentials flag #701

wants to merge 2 commits into from

Conversation

rossigee
Copy link

This should help reduce the amount of time people might waste trying to figure out how to resolve the following error:

error instantiating route53 challenge solver: unable to construct route53 provider: empty credentials; perhaps you meant to enable ambient credentials?

A couple of related bug reports:

@jetstack-bot jetstack-bot added the dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. label Sep 13, 2021
@netlify
Copy link

netlify bot commented Sep 13, 2021
edited

Deploy Preview for cert-manager-website ready!

Name Link
🔨 Latest commit f855dce
🔍 Latest deploy log https://app.netlify.com/sites/cert-manager-website/deploys/6256dfd4673d9900099420f8
😎 Deploy Preview https://deploy-preview-701--cert-manager-website.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@jetstack-bot
Copy link
Contributor

Hi @rossigee. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Sep 13, 2021
@rossigee
Copy link
Author

/assign @meyskens

@tstraley
Copy link

tstraley commented Dec 7, 2021

I'm curious if any of the maintainers can chime in here with why the Issuer and ClusterIssuer have different functionality here? Shouldn't either one be trying to use the modern AWS SDK to its full extent and collecting credentials from all supported sources?

@irbekrm irbekrm mentioned this pull request Jan 17, 2022
Closed
wallrj
wallrj requested changes Jan 21, 2022
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @rossigee

And apologies for the delayed review.
Judging by the number of issues mentioning the ambient-credentials flags,
this is a much needed addition to the documentation.

I was surprised at the lack of docs and when I went digging into the origin of this feature,
I found that that original author did write documentation for this:

That document contains some important extra information about why ambient-credentials are disabled by default for Issuer.
Please review that document and copy over all the content that you think is still relevant.

Thanks.

@wallrj wallrj mentioned this pull request Jan 21, 2022
Closed
@wallrj
Copy link
Member

wallrj commented Jan 21, 2022

/ok-to-test

@jetstack-bot jetstack-bot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 21, 2022
tstraley
tstraley reviewed Jan 26, 2022
View reviewed changes
content/en/docs/configuration/acme/dns01/route53.md Outdated
@@ -180,6 +180,8 @@ spec:

Note that, as mentioned above, the pod is using `arn:aws:iam::XXXXXXXXXXX:role/cert-manager` as a credentials source in Account X, but the `ClusterIssuer` ultimately assumes the `arn:aws:iam::YYYYYYYYYYYY:role/dns-manager` role to actually make changes in Route53 zones located in Account Y.

If you are using an Issuer instead of a ClusterIssuer and assuming a role you will need to ensure that cert-manager is started with the `--issuer-ambient-credentials=true` argument.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is quite correct. If assuming a role (like in the example above) and using static credentials, then the ambient credentials aren't necessary.

The ambient credentials ARE necessary when using AWS_WEB_IDENTITY_TOKEN_FILE (as is the case of IAM Role for Service Accounts) or IAM instance profile via instance metadata.

I'd argue that this documentation should be moved into the IRSA section below, as a result.

@wallrj
Copy link
Member

wallrj commented Jan 26, 2022

I'm curious if any of the maintainers can chime in here with why the Issuer and ClusterIssuer have different functionality here? Shouldn't either one be trying to use the modern AWS SDK to its full extent and collecting credentials from all supported sources?

I found the answer in a document which we obviously forgot to port over to the new website:

https://github.com/jetstack/cert-manager/blob/95883c47dd31ad6c0e7652a192e4c51981d67592/docs/user-guides/ambient-credentials.md?plain=1#L33-L46

## When are Ambient Credentials used


Ambient credentials are supported for the 'route53' ACME dns01 provider.


They will only be used if no credentials are supplied, even if the supplied credentials are incorrect.


By default, they may be used by ClusterIssuers, but not regular issuers. The
`--issuer-ambient-credentials` and
`--cluster-issuer-ambient-credentials=false` flags on the cert-manager may be
used to override this behavior.


Note that ambient credentials are disabled for regular Issuers by default to
ensure unprivileged users who may create issuers cannot issue certificates
using any credentials cert-manager incidentally has access to.

So I suggest we add that to the current docs

@irbekrm irbekrm mentioned this pull request Mar 2, 2022
Merged
@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 13, 2022
@rossigee
Issuer with IRSA needs ambient credentials flag
8775d48 
This should help reduce the amount of time people might waste trying to figure out how to resolve the following error:

```
error instantiating route53 challenge solver: unable to construct route53 provider: empty credentials; perhaps you meant to enable ambient credentials?
```

A couple of related bug reports:

* cert-manager/cert-manager#3009
* cert-manager/cert-manager#3079
@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 13, 2022
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rossigee
To complete the pull request process, please assign maelvls after the PR has been reviewed.
You can assign the PR to them by writing /assign @maelvls in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot
Copy link
Contributor

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

  • 8775d48 Issuer with IRSA needs ambient credentials flag
  • f855dce Re-use existing documentation describing ambient credentials for non-cluster Issuers.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@jetstack-bot jetstack-bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Apr 13, 2022
@jetstack-bot
Copy link
Contributor

@rossigee: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-website-verify f855dce link true /test pull-cert-manager-website-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tstraley tstraley tstraley left review comments

@wallrj wallrj wallrj requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. ok-to-test size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@rossigee @jetstack-bot @tstraley @wallrj @meyskens