1. 首页
  2. 问题列表
  3. 库伯内特斯:外部机密操作员错误:InvalidClientTokenId:请求中包含的安全令牌无效
提问者:小点点

库伯内特斯:外部机密操作员错误:InvalidClientTokenId:请求中包含的安全令牌无效


我正在通过以下方式尝试外部秘密操作员(ESO):

https://github.com/external-secrets/external-secrets

https://external-secrets.io/guides-getting-started/

我使用minikube和AWS秘密管理器来做到这一点(我也在EC2托管的k8s集群中尝试过,但我得到了相同的确切错误)。

我按照上面链接中的步骤操作:

  1. 添加了回购:

helm repo添加外部机密https://charts.external-secrets.io

helm安装外部秘密外部秘密/外部秘密--set install CRD=true

k创建机密的通用aws-凭据--from-litald=aws-access-key-id='xxx'--from-litald=aws-secure-access-key='xxx'

kind: SecretStore
metadata:
  name: secretstore-sample
spec:
  provider:
    aws:
      service: SecretsManager
      role: arn:aws:iam::123456789012:role/somerole
      region: us-east-1
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: aws-credentials
            key: aws-access-key-id
          secretAccessKeySecretRef:
            name: aws-credentials
            key: aws-secret-access-key

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: example
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: secretstore-sample
    kind: SecretStore
  target:
    name: secret-to-be-created
    creationPolicy: Owner
  data:
    - secretKey: user-1-username
      remoteRef:
        key: test_user_1
        property: username
    - secretKey: user-1-password
      remoteRef:
        key: test_user_1
        property: password

然后它说

创建的externalsecret.external-secrets.io/example

当我这么做的时候

kubectl描述externalsecret.external-secrets.io/example

以下是我得到的,没有创建要创建的秘密:

...
Status:
  Conditions:
    Last Transition Time:  2021-06-09T22:45:10Z
    Message:               could not get secret data from provider: key "test_user_1" from ExternalSecret "example": InvalidClientTokenId: The security token included in the request is invalid.
                           status code: 403, request id: 5a544aa0-3953-4c0d-9dab-37bde10e328b
    Reason:                SecretSyncedError
    Status:                False
    Type:                  Ready
  Refresh Time:            <nil>
Events:                    <none>

我知道这个角色可以访问aws机密管理器(我已经使用这个角色运行python脚本从我的笔记本电脑访问aws机密管理器)。但是,我对k8s的了解有限,所以,我很感激任何帮助。


共1个答案

匿名用户

我解决了这个问题。它在AWS方面。我需要创建一个新用户和一个新角色。将新创建的角色放在config map的角色:部分,并允许用户通过为用户提供aws creds作为k8s集群中的环境变量来承担该角色。

将此策略用于新创建的角色:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:ListSecretVersionIds"
      ],
      "Resource": [
        "arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*",
      ]
    }
  ]
}

以下为角色的信任关系:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::..."
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

新创建用户的以下策略:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::...."
    }
}

相关问题



热门标签
Java JavaScript Python PHP C# Android Html jQuery C++ Css IOS MySQL NodeJS