New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issuer with IRSA needs ambient credentials flag #701
base: master
Are you sure you want to change the base?
Conversation
✅ Deploy Preview for cert-manager-website ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
Hi @rossigee. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @meyskens |
I'm curious if any of the maintainers can chime in here with why the Issuer and ClusterIssuer have different functionality here? Shouldn't either one be trying to use the modern AWS SDK to its full extent and collecting credentials from all supported sources? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @rossigee
And apologies for the delayed review.
Judging by the number of issues mentioning the ambient-credentials flags,
this is a much needed addition to the documentation.
I was surprised at the lack of docs and when I went digging into the origin of this feature,
I found that that original author did write documentation for this:
- https://github.com/jetstack/cert-manager/blob/95883c47dd31ad6c0e7652a192e4c51981d67592/docs/user-guides/ambient-credentials.md
- Allow non-static AWS credentials for Route 53, gated by "ambient credentials" flags cert-manager#363
That document contains some important extra information about why ambient-credentials are disabled by default for Issuer.
Please review that document and copy over all the content that you think is still relevant.
Thanks.
/ok-to-test |
@@ -180,6 +180,8 @@ spec: | |||
|
|||
Note that, as mentioned above, the pod is using `arn:aws:iam::XXXXXXXXXXX:role/cert-manager` as a credentials source in Account X, but the `ClusterIssuer` ultimately assumes the `arn:aws:iam::YYYYYYYYYYYY:role/dns-manager` role to actually make changes in Route53 zones located in Account Y. | |||
|
|||
If you are using an Issuer instead of a ClusterIssuer and assuming a role you will need to ensure that cert-manager is started with the `--issuer-ambient-credentials=true` argument. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is quite correct. If assuming a role (like in the example above) and using static credentials, then the ambient credentials aren't necessary.
The ambient credentials ARE necessary when using AWS_WEB_IDENTITY_TOKEN_FILE
(as is the case of IAM Role for Service Accounts) or IAM instance profile via instance metadata.
I'd argue that this documentation should be moved into the IRSA section below, as a result.
I found the answer in a document which we obviously forgot to port over to the new website:
So I suggest we add that to the current docs |
This should help reduce the amount of time people might waste trying to figure out how to resolve the following error: ``` error instantiating route53 challenge solver: unable to construct route53 provider: empty credentials; perhaps you meant to enable ambient credentials? ``` A couple of related bug reports: * cert-manager/cert-manager#3009 * cert-manager/cert-manager#3079
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rossigee The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@rossigee: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This should help reduce the amount of time people might waste trying to figure out how to resolve the following error:
A couple of related bug reports: