Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix: remove authentication option with JWT token from STSSessionToken generator (#5026)

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Gergely Brautigam 9 months ago
parent
8c196607f8
commit
308712f10f
2 changed files with 11 additions and 8 deletions
Split View Show Diff Stats
  1. 6 5
      docs/api/generator/sts.md
  2. 5 3
      pkg/generator/sts/sts.go

+ 6 - 5
docs/api/generator/sts.md
View File 

@@ -11,19 +11,20 @@ STSSessionToken uses the GetSessionToken API to retrieve a temporary session tok
 
 
 ## Authentication
 
 
-You can choose from three authentication mechanisms:
 
+You can choose from one authentication mechanisms:
 
 
 * static credentials using `spec.auth.secretRef`
 
-* point to a IRSA Service Account with `spec.auth.jwt`
 
-* use credentials from the [SDK default credentials chain](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) from the controller environment
 
+
 
+_Note_: STSSessionToken uses GetSessionToken API. This API can _only_ be used by long-term credentials such as an id + key.
 
+Therefore, it is only usable with a secretRef for authentication.
 
 
 ## Request Parameters
 
 
-Following request parameters can be provided:
 
+The following request parameters can be provided:
 
 
 - duration seconds -> can specify the TTL of the generated token
 
 - serial number -> define the serial number of the MFA device used by the user
 
-- token code -> possible code generated by the above referenced MFA device
 
+- token code -> possible code generated by the above-referenced MFA device
 
 
 ## Example Manifest

+ 5 - 3
pkg/generator/sts/sts.go
View File 

@@ -63,11 +63,13 @@ func (g *Generator) generate(
 
 	if err != nil {
 
 		return nil, nil, fmt.Errorf(errParseSpec, err)
 
 	}
 
+	if res.Spec.Auth.JWTAuth != nil {
 
+		return nil, nil, errors.New("jwt auth cannot be used for STS Session Token generation")
 
+	}
 
 	cfg, err := awsauth.NewGeneratorSession(
 
 		ctx,
 
 		esv1.AWSAuth{
 
 			SecretRef: (*esv1.AWSAuthSecretRef)(res.Spec.Auth.SecretRef),
 
-			JWTAuth:   (*esv1.AWSJWTAuth)(res.Spec.Auth.JWTAuth),
 
 		},
 
 		res.Spec.Role,
 
 		res.Spec.Region,
 
@@ -78,14 +80,14 @@ func (g *Generator) generate(
 
 	if err != nil {
 
 		return nil, nil, fmt.Errorf(errCreateSess, err)
 
 	}
 
-	client := stsFunc(cfg)
 
+	api := stsFunc(cfg)
 
 	input := &sts.GetSessionTokenInput{}
 
 	if res.Spec.RequestParameters != nil {
 
 		input.DurationSeconds = res.Spec.RequestParameters.SessionDuration
 
 		input.TokenCode = res.Spec.RequestParameters.TokenCode
 
 		input.SerialNumber = res.Spec.RequestParameters.SerialNumber
 
 	}
 
-	out, err := client.GetSessionToken(ctx, input)
 
+	out, err := api.GetSessionToken(ctx, input)
 
 	if err != nil {
 
 		return nil, nil, fmt.Errorf(errGetToken, err)
 
 	}