Move from IRSA to Pod Identity with the Vault Provider IAM Auth does not work

[ManideepKarimireddy]

with the below clustersecretstore config , we get error

error:

cluster-secret-store expected env variable: AWS_WEB_IDENTITY_TOKEN_FILE not found on controller's pod

this is because with pod identity, controller pod will have env AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE and AWS_CONTAINER_CREDENTIALS_FULL_URI

clustersecretscore config:

kind: ClusterSecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      auth:
        iam:
          path: vaultauthpath
          region: <region>
          role: arn:aws:iam::<account>:role/<role>
          vaultAwsIamServerID: serverid
          vaultRole: vaultrole
      path: vaultpath
      server: https://vault-server-address

[gusfcarvalho]

hi @ManideepKarimireddy . I believe we do not support Pod Identity for Vault auth.

[ManideepKarimireddy]

Hi @gusfcarvalho thanks for the quick reply. any plans to have it in the near future?

[gusfcarvalho]

Nope 😄

[gusfcarvalho]

Implementing this feature isn't hard to do, though. I encourage you to submit a PR for it 😄 .

As always, if you need this and lack the skills / time assignment from your company, you can:

• bounty this issue for a community member to implement it for you;
• hire a consultancy company to implement this for you;
• or have a vendored distribution and ask the vendor for a SLA to support it.

The open source version does not provide any SLAs for these type of features. Maintainers are mostly on their free time, so there are no guarantees feature requests will be done on a given deadline (such as the famous near future)

[andylim0221]

@gusfcarvalho I'm working on fixing this issue. Please assign this to me. Thanks.

[gusfcarvalho]

done! Thank you @andylim0221