Support AWS Session Tokens
jorgemoralespou opened this issue · 17 comments
Is your feature request related to a problem? Please describe.
I'm using cert-manager on an AWS environment and I'm provided with an STS account by my company. When I try to create a DNS01 request to let's encrypt AWS responds always with: Failed to change Route 53 record set: InvalidClientTokenId: The security token included in the request is invalid.\n\tstatus code: 403. I have verified with the aws CLI that I need to provide the AWS_SESSION_TOKEN.
I've read a previous similar issue that requested the same (#1274) but in that case they could live by providing a role as they wanted to do cross-accounts provisioning. In my case, they problem I have is that the STS account I'm given doesn't have enough permissions to create an additional AWS role to allow for AWS Route53 record set changes, so I can not use it, but when using the AWS token I can change a Route53 record set.
Looking at the code (https://github.com/jetstack/cert-manager/blob/master/pkg/issuer/acme/dns/route53/route53.go#L95-L105) I've seen that I can use the AWS_SESSION_TOKEN if using ambient credentials, but can not configure an Issuer/ClusterIssuer with the required credentials.
I understand that an Issuer/ClusterIssuer should not have temporary credentials as it will not be able to renew certificates when expiration date approaches, but I'm using these certificates on ephemeral environments that will not last that long, so it's not really an issue.
Describe the solution you'd like
The change I'm proposing is just enhancing https://github.com/jetstack/cert-manager/blob/master/pkg/issuer/acme/dns/route53/route53.go to support getting the SessionToken via a secret like the secretAccessKey. If the certificate get close to expiration, the Issuer/ClusterIssuer can be updated with fresh credentials in case the environment lasted long, in this way you only need to update this object.
Describe alternatives you've considered
The alternative is modifying the cert-manager deployment to accept ambient credentials, which is really a bad option.
Environment details (if applicable):
- Kubernetes version (e.g. v1.17.3):
- Cloud-provider/provisioner (e.g. AWS):
- cert-manager version (e.g. v0.14.1):
- Install method (static manifests):
/kind feature
Sounds like there is a clear use case for this so makes sense to include it if someone would like to pick this up.
We should extend this with another field SessionToken which is a secret selector to where the token is.
https://github.com/jetstack/cert-manager/blob/cdc43833f9796c75d6261d81eeaf65a2d298bec3/pkg/apis/acme/v1alpha2/types_issuer.go#L319
This token can then get piped through to the provider as another method of auth. We should have some validation in place so that a user can only specify one auth method for the route53 dns provider.
/help
@JoshVanL:
This request has been marked as needing help from a contributor.
Please ensure the request meets the requirements listed here.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.
In response to this:
Sounds like there is a clear use case for this so makes sense to include it if someone would like to pick this up.
We should extend this with another field
SessionTokenwhich is a secret selector to where the token is.
https://github.com/jetstack/cert-manager/blob/cdc43833f9796c75d6261d81eeaf65a2d298bec3/pkg/apis/acme/v1alpha2/types_issuer.go#L319This token can then get piped through to the provider as another method of auth. We should have some validation in place so that a user can only specify one auth method for the route53 dns provider.
/help
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale
/remove-lifecycle stale
If somebody (preferably someone with access to an AWS environment where to test this change) would like to pick it up, that would be awesome.
Marking this as a good first issue, it might be a little advanced, but do let us know if you are interested, we could help with pointing at where the changes need to be made.
/good-first-issue
/remove-lifecycle rotten
@irbekrm:
This request has been marked as suitable for new contributors.
Please ensure the request meets the requirements listed here.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.
In response to this:
If somebody (preferably someone with access to an AWS environment where to test this change) would like to pick it up, that would be awesome.
Marking this as a good first issue, it might be a little advanced, but do let us know if you are interested, we could help with pointing at where the changes need to be made./good-first-issue
/remove-lifecycle rotten
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale
Hello, Is this issue still active?
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close
@jetstack-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen.
Mark the issue as fresh with/remove-lifecycle rotten.
Send feedback to jetstack.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.