Policy for access to secrets manager is not added to tekton bot
babadofar opened this issue · 4 comments
When trying to use aws secrets manager for holding secrets, the role policy arn is not added to the tekton bot.
Should be added in the irsa.tf file around here https://github.com/jenkins-x/terraform-aws-eks-jx/blob/master/modules/cluster/irsa.tf#L46
module "iam_assumable_role_tekton_bot" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "~> v3.8.0"
create_role = var.create_tekton_role
role_name = var.is_jx2 ? substr("tf-${var.cluster_name}-sa-role-tekton-bot-${local.generated_seed}", 0, 60) : "${local.cluster_trunc}-tekton-bot"
provider_url = local.oidc_provider_url
role_policy_arns = var.create_tekton_role ? concat([aws_iam_policy.tekton-bot[0].arn], var.additional_tekton_role_policy_arns) : [""]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.jenkins-x-namespace}:tekton-bot"]
}
I dont think the tekton bot policy is the correct place to fix this actually. The way we get this to work is by adding the policy to the workers. Not sure if that is the best way, but in case, that seems to be set here
https://github.com/jenkins-x/terraform-aws-eks-jx/blob/master/modules/cluster/main.tf#L129
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest#input_workers_additional_policies
I think tekton bot should have this policy, what issues did you have when you added it to the tekton bot?
I never tried to set it on the tekton bot actually. A little confused by this, but I guess the policy needs to be set on the role, or assumed role for the service account for external secrets.
Yes, the assumed role is actually the tekton role, you can verify it by running aws sts get-caller-identity in any of your pipelines.