Experimental AWS session cache issue in case of cross-account assumed roles #4455
Description
Describe the bug
Enabling argument --experimental-enable-aws-session-cache=true and using cross account CSS with assuming role results in failed authentications.
Disabling it results in all secrets updated without issues.
To Reproduce
- enable
--experimental-enable-aws-session-cache=true - add a few CSS with cross-account and cross region AWS SecretsManager providers.
Expected behavior
ESO properly cache sessions and does not try to assume role from already assumed session.
Additional context
Error:
error retrieving secret at .data[0], key: externalsecret-name-replaced, err: AccessDenied: User: arn:aws:sts::1234567890:assumed-role/target-iam-role/1740057294654071001 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234567890:role/target-iam-role\n\tstatus code: 403,
ESO version: v0.10.4