Forcing external-secret synchronization using 1password token secret fails sometimes with `status 403: Authorization: token does not have access to vault`

[renepupil]

Describe the bug

We create a 1password token with read access to a vault that we use as a kubernetes secret in a external-secrets.io SecretStore which is used in an ExternalSecret

We sometimes force the synchronization of the external secret in our deployment.

Most times this works without issues, but sometimes the token is said to be invalid.

To Reproduce

1. Create 1password token for a vault and create kubernetes secret from it:

connect_token="$(op connect token create "fuzzy-token" --vault "fuzzy-vault,r")"
kubectl create secret generic onepassword-connect-token --type=Opaque --from-literal=token="${connect_token}"

2. Use secret in secret store:

---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: onepassword-secret-store
spec:
  provider:
    onepassword:
      connectHost: http://onepassword-connect.external-secrets:8080
      vaults: 
        fuzzy-vault: 1
      auth:
        secretRef:
          connectTokenSecretRef:
            name: onepassword-connect-token
            key: token
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: env-secret
spec:
  secretStoreRef:
    kind: SecretStore
    name: onepassword-secret-store
  target:
    name: env-secret
  data:
  - secretKey: MY_SECRET
    remoteRef:
      key: MY-SECRET-ITEM

3. Force synchronization of external secrets:

kubectl annotate externalsecret env-secret force-sync="$(date +%s)" --overwrite

4. Retrieve error events:

kubectl describe externalsecret env-secret

Events:
  Type     Reason        Age                   From              Message
  ----     ------        ----                  ----              -------
  Warning  UpdateFailed  2m7s (x627 over 14d)  external-secrets  status 403: Authorization: token does not have access to vault <vault-id>
  Warning  UpdateFailed  86s (x223 over 14d)   external-secrets  error finding 1Password Item: status 403: Authorization: token does not have access to vault <vault-id>

4. Recheck token state

op connect token list

ID                  NAME                                      STATE      INTEGRATION ID                EXPIRES AT
<token-id>    fuzzy-token                              ACTIVE     <integration-id>                    never

Expected behavior

That the external secret is successfuly updated.

Expected event that we normally get is:

Events:
  Type     Reason        Age                   From              Message
  ----     ------        ----                  ----              -------
  Normal   Updated       47s (x341 over 14d)   external-secrets  Updated Secret

No idea why the token is valid sometimes and sometimes not.

Additional context

Maybe related 1Password/connect#82

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.

[Skarlso]

Is this still relevant?

[renepupil]

@Skarlso Dunno, likely yes. I basically got rid of 1password external secrets because of it.

[pedronieto1206]

@Skarlso Dunno, likely yes. I basically got rid of 1password external secrets because of it.

I am also facing this issue with:

helm.sh/chart: external-secrets-0.17.0

But the token is valid and setup, it is an intermittent issue, at the end external secrets achieves to connect

[Skarlso]

Thanks! I shall investigate this. I'm on vacation but I'm going to take a look when I'm back.

[Skarlso]

Okay, going to try and reproduce this today.