Cert-manager: Support obtaining Route53 credentials via EC2 IAM role
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
I would like support for obtaining Route53 credentials via EC2 IAM role, instead of hardcoding accessKeyID and secretAccessKey. This function already supports obtaining credentials via EC2 IAM role, would just need to make accessKeyID and secretAccessKeySecretRef optional in the spec and call the function if neither are passed.
bismarck
All 9 comments
@bismarck how would you handle security problem, that IAM roles are the EC2 instance level? By granting an IAM role you are granting the Route53 admin access to all containers across the entire cluster or at least node pool.
One workaround is to combine cert-manager with kube2iam which intercepts and proxies container network access to the IAM endpoints to a 'hostnetwork' privileged agent container to fetch and pass through AWS role credentials to only specific containers.
In the absence of kube2iam, using k8s managed Secrets is I think a more secure option. The Access Key is not your master account key, but an IAM app key allowing only managing specific zones. And you can use AWS CloudWatch events and a Lambda function to automatically rotate the access key and update the Secret.
whereisaaron
on 10 Nov 2017
@whereisaaron I should have mentioned that we run kube2iam on our clusters, which is what motivated the feature request. Currently, cert-manager only supports static credentials.
bismarck
on 10 Nov 2017
I would also like to be able to use cert-manager with 'ambient' credentials; we also use kube2iam. Furthermore, my organization does not create IAM users and therefore all IAM credentials are role tokens and expire (are issued for a limited timeframe). This makes static credentials a non-starter in our environment.
IOW, +1 for making accessKeyID and secretAccessKeySecretRef optional and falling back on (the SDK default behavior of using) the metadata service credentials provider.
emmanuel
on 11 Nov 2017
We are in the same situation as @emmanuel. Besides, I cannot see any reason for cert-manager to be more strict in this regard than for example external-dns.
olemarkus
on 3 Jan 2018
@bismarck @olemarkus I agree to would be great to be able to use role-based temporary credentials for access to Route53 or potentially other services, rather than only static credentials. For Route53 with AWS clusters kube2iam makes that a sensible option.
whereisaaron
on 3 Jan 2018
I took a shot at this in https://github.com/jetstack/cert-manager/pull/243.
mattmoyer
on 11 Jan 2018
We use an init-container to get aws creds from vault. Would definitely prefer if things respected the standard env vars.
tcolgate
on 6 Mar 2018
This has been implemented in #363, but isn't included in a release yet.
It's intentionally gated behind a flag for regular issuers for security reasons. See the docs added in that PR for more detail.
euank
on 9 Apr 2018
/close
munnerz
on 18 Apr 2018
Related issues
r0bj
路
3Comments
howardjohn
路
3Comments
apetheriotis
路
3Comments
Stono
路
3Comments
dontreboot
路
3Comments
Most helpful comment
I would also like to be able to use
cert-managerwith 'ambient' credentials; we also usekube2iam. Furthermore, my organization does not create IAM users and therefore all IAM credentials are role tokens and expire (are issued for a limited timeframe). This makes static credentials a non-starter in our environment.IOW, +1 for making
accessKeyIDandsecretAccessKeySecretRefoptional and falling back on (the SDK default behavior of using) the metadata service credentials provider.