-
Notifications
You must be signed in to change notification settings - Fork 466
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault AWS IAM Role permission denied #1598
Comments
I hit this exact same issue and resorted to have to deploy vault using the chart itself rather than the operator, which had some other issues. as well. Such as it does not properly support PVC #1596 and if a PVC is configured using raft HA it fails to join properly because the name IP address has changed. |
Using kube2iam is not a secure path to take. I see comments to use it in code base. If running on AWS using the supported IRSA/OIDC method with service account annotation is way to go. Use case is to use Dynamodb as a backend and appropriate IRSA/OIDC role configured to service account for Vault to use. Getting same error noted by reporter:
|
Thank you for your contribution! This issue has been automatically marked as |
Thank you for your contribution! This issue has been automatically marked as |
Describe the bug:
Trying to set one IAM Role attached to the vault service account on EKS in order to connect to S3 and KMS.
My findings:
If we don't set any specific role with the service account, vault will use the cluster node group IAM role by default, so the cluster node group role need the S3 and KMS permissions. This works, but is not a good practice. To avoid this, we need to set a specific IAM role for the vault.
Creating the role and attach the IAM Role ARN to the service account should be enough, but, we receive the following error:
This happens because the vault command runs as the vault user (UID 100) but the container runs as root user (UID 0).
Unfortunately, setting the
securityContext: runAsUser: 0
(root) the issue is the same as above, since the container already runs as root user. Setting thesecurityContext: runAsUser: 100
(vault), the container can't edit the vault folders permissions:Expected behaviour:
Should be possible to use a specific IAM Role with the vault container.
Steps to reproduce the bug:
Attach some specific IAM Role to the vault service account.
Environment details:
/kind bug
The text was updated successfully, but these errors were encountered: