Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confd can't authenticate with ssm backend #854

Open
hgibsonqb opened this issue Feb 3, 2022 · 2 comments
Open

Confd can't authenticate with ssm backend #854

hgibsonqb opened this issue Feb 3, 2022 · 2 comments

Comments

@hgibsonqb
Copy link

hgibsonqb commented Feb 3, 2022
edited
Loading

Hi,

I'm running confd in in a container in eks. The pod has a service account which is associated with an iam role. https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

The AWS environment variables in the pod look like this. I've also tested without AWS_SDK_LOAD_CONFIG set with same results.

AWS_SDK_LOAD_CONFIG=1
AWS_REGION=us-east-2
AWS_DEFAULT_REGION=us-east-2
AWS_ROLE_ARN=<my role arn>
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

I'm able to see valid aws configuration

# aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************G3Z6 assume-role-with-web-identity    
secret_key     ****************Uy6T assume-role-with-web-identity    
    region                us-east-2              env    AWS_DEFAULT_REGION

I'm also able to access the ssm parameters through the aws cli

# aws ssm get-parameter --name <my prefix>/<my ssm parameter name>
{
    "Parameter": {
        "Name": "<my ssm parameter>",
        "Type": "SecureString",
        "Value": "<my value>",
        "Version": 1,
        "LastModifiedDate": 1626799800.065,
        "ARN": "<my arn>",
        "DataType": "text"
    }
}

However trying to access with confd ssm parameter backend returns an error

confd -onetime -backend ssm -prefix /<my prefix> -log-level debug
2022-02-02T19:39:08Z indigo-web-m-76cdb94fc8-jnx99 confd[39]: INFO Backend set to ssm
2022-02-02T19:39:08Z indigo-web-m-76cdb94fc8-jnx99 confd[39]: INFO Starting confd
2022-02-02T19:39:08Z indigo-web-m-76cdb94fc8-jnx99 confd[39]: INFO Backend source(s) set to 
2022-02-02T19:39:08Z indigo-web-m-76cdb94fc8-jnx99 confd[39]: FATAL NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

I'm using confd version confd-0.16.0-linux-amd64 and awscli version aws-cli/1.22.46 Python/3.7.3 Linux/5.4.162-86.275.amzn2.x86_64 botocore/1.23.46. The container os is x86_64 GNU/Linux.

My toml file looks like this

[template]
src  = "<my file tmpl>"
dest = "<my file yaml>"
mode = "0640"
uid  = 1000
gid  = 1000

<my file tmpl> looks like this

:ENV:
  <MY PARAM>: {{getv "/<my prefix>/<my ssm parameter name>" ""}}
@hgibsonqb
Copy link
Author

I did some investigation and it's probably because the aws-go-sdk version used by confd is very old. In the go package lock https://github.com/kelseyhightower/confd/blob/master/Gopkg.lock it's pinned to version "v1.13.41" from 2018.

The session package's environment variable config file from that version has no option for WEB_IDENTITY_TOKEN_FILE or AWS_ROLE_ARN https://github.com/aws/aws-sdk-go/blob/9a2fe34af9644afba4a1a1406966e78eb0e985af/aws/session/env_config.go#L19-L98

The most recent version does though https://github.com/aws/aws-sdk-go/blob/main/aws/session/env_config.go#L131-L137

Would it be possible to upgrade the aws-go-sdk version?

@abtreece
Copy link
Contributor

Hey @hgibsonqb you could give my fork of confd a shot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abtreece @hgibsonqb