STSSessionToken to support IAM Role Sessions #4752
Description
Describe the bug
The STSSessionToken fails to create session credentials from long-term credentials with error:
unable to get authorization token: AccessDenied: Cannot call GetSessionToken with session credentials\n\tstatus code: 403
while assuming role.
To Reproduce
- Use ESO 0.13.0 (oci.external-secrets.io/external-secrets/external-secrets:v0.13.0) on k3s v1.31.4 on-premises (no EC2 or EKS).
- Create secret with long-term IAM credentials:
apiVersion: v1
kind: Secret
metadata:
name: iam-cluster-credentials
type: Opaque
data:
accessKey: ...
secretAccessKey: ...
- Test the long-term crdentials with aws-cli:
AWS_ACCESS_KEY_ID=... AWS_SECRET_ACCESS_KEY=... aws sts assume-role --role-arn "arn:aws:iam::1234567890:role/my-role" --role-session-name "test"
-> Produces a new session credentials
4. Create STSSessionToken generator:
apiVersion: generators.external-secrets.io/v1alpha1
kind: STSSessionToken
metadata:
name: sts-gen
spec:
auth:
secretRef:
accessKeyIDSecretRef:
key: accessKey
name: iam-cluster-credentials
secretAccessKeySecretRef:
key: secretAccessKey
name: iam-cluster-credentials
region: eu-west-1
requestParameters:
sessionDuration: 3600
role: arn:aws:iam::1234567890:role/my-role
- Create ExternalSecret to generate the session token:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: sts
spec:
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: STSSessionToken
name: sts-gen
refreshInterval: 1h
target:
name: sts
Expected behavior
A new secret named sts is created with session credentials.
Screenshots
ESO logs:
{"level":"debug","ts":"2025-05-08T10:28:42.614Z","logger":"provider.aws","msg":"using credentials from secretRef"}
{"level":"info","ts":"2025-05-08T10:28:42.714Z","logger":"provider.aws","msg":"using aws session","region":"eu-west-1","credentials":{}}
{"level":"debug","ts":"2025-05-08T10:28:43.412Z","logger":"events","msg":"error processing spec.dataFrom[0].sourceRef.generatorRef, err: error using generator: unable to get authorization token: AccessDenied: Cannot call GetSessionToken with session credentials\n\tstatus code: 403, request id: a47ce8db-d230-482d-b323-fddafb97cf49","type":"Warning","object":{"kind":"ExternalSecret","namespace":"memento","name":"local-sts","uid":"6655e0c6-3a21-4d5b-893c-618970f199cc","apiVersion":"external-secrets.io/v1beta1","resourceVersion":"12282826"},"reason":"UpdateFailed"}
{"level":"error","ts":"2025-05-08T10:28:43.502Z","msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"local-sts","namespace":"memento"},"namespace":"memento","name":"local-sts","reconcileID":"6b21a3ed-9722-46b1-a1ff-38f41ef8b615","error":"error processing spec.dataFrom[0].sourceRef.generatorRef, err: error using generator: unable to get authorization token: AccessDenied: Cannot call GetSessionToken with session credentials\n\tstatus code: 403, request id: a47ce8db-d230-482d-b323-fddafb97cf49","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.4/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.4/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.4/pkg/internal/controller/controller.go:224"}
Additional context
- I am using the same credentials and role with ECRAuthorizationToken generator successfully.
- The trick from Support Disabling EC2 Metadata Server on AWS Related SecretStores/Generators #4679 does not help. Not sure this is related as this is not EC2 instance.
- I just found out it works when no role is requested. A session credentials are correctly generated. Am I using the role parameter correctly?