Comments (4)
You need to use the thumbprint of the OIDC provider, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
Try re-creating the OIDC provider and test the solution.
from aws-secret-sidecar-injector.
@Painyjames Thanks for testing the solution out.
Could you please share the output of below command to verify if the init container ran fine.
kubectl describe pod webserver-5899d5548-md8zm | grep "Init Containers" -A 10
Note - Replace the webserver pod name with the correct one
The status should show something like
secrets-init-container:
Container ID: docker://xxxxxyyyyzzzz
Image: docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.1
Image ID: docker-pullable://amazon/aws-secrets-manager-secret-sidecar@sha256:xxxxyyyyzzzz
Port: <none>
Host Port: <none>
State: Terminated
Reason: Completed
Exit Code: 0
Started: Fri, 17 Jul 2020 08:21:57 -0500
Now check the logs of the init container and the webserver pod with the below commands -
kubectl logs webserver-5899d5548-md8zm -c secrets-init-container
kubectl logs webserver-5899d5548-md8zm
The output should be empty for the init container
and display the secret value for the webserver
pod.
Other steps to check -
- Verify if the OIDC provider exists in the IAM console under
Identity providers
section - Verify if the IAM role
webserver-secrets-role
has the policywebserver-secrets-policy
attached with the correct OIDC trust relationship
Please post your response here.
from aws-secret-sidecar-injector.
Apparently the pod is ok.
secrets-init-container:
Container ID: docker://7b184e816e0d4f3270ba8c973b1f78fd508ac2f9e684922a5049f7c202b408ab
Image: docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.1
Image ID: docker-pullable://amazon/aws-secrets-manager-secret-sidecar@sha256:079028dde7738a622ecbf35ee6b345bba7a0a5f40584c4e97e21535ced0cc421
Port: <none>
Host Port: <none>
State: Terminated
Reason: Completed
Exit Code: 0
Started: Fri, 17 Jul 2020 10:53:48 +0100
but if we get the logs for the init container we receive the following:
kubectl logs webserver-7b56c5866-9sr5l -c secrets-init-container
WebIdentityErr: failed to retrieve credentials
caused by: InvalidIdentityToken: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint
status code: 400, request id: 7a767a2d-1a17-46a5-89d0-7ed93fb3120b
Might be this related to the certificates generated by the helm chart?
from aws-secret-sidecar-injector.
@sai1621 you were right, the OIDC thumbprint changed since the last time and we needed to recreate it.
We are getting the secrets successfully now.
from aws-secret-sidecar-injector.
Related Issues (20)
- Feature request - inject secrets as env vars HOT 3
- WebIdentity Error HOT 1
- [Question] Deploying secret-inject Controller in another namespace HOT 4
- Production readiness HOT 1
- Inject as an Environment variable HOT 1
- Changing mount point and ecrousseau/aws-secret-injector fork. HOT 3
- change secret mount point inside the container HOT 6
- Feature Request: inject secrets into init containers HOT 2
- Feature request - support multiple Secrets injection HOT 15
- Feature Request - AWS Parameter Store Integration HOT 3
- Init container isn't started for webserver + TLS handshake error in secret-inject HOT 11
- How to deserialize the json data that comes from SecretsManager and got loaded in the volumeMount HOT 9
- http: TLS handshake error from <IP>:<PORT>: remote error: tls: bad certificate HOT 4
- initContainers are overwritten in deployment HOT 2
- add operation does not apply: doc is missing path: "/spec/initContainers/0 HOT 1
- ability to create serviceAccount by using helm HOT 1
- Latest chart (0.1.7) errors on install HOT 1
- Inject secret as environment variable HOT 1
- set_aws_parameters does not set OPERATOR_REGION, SQS_URL, IAM_ARN
- system-manager inject HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-secret-sidecar-injector.