logic855/helm-external-secrets

شاخه: gc-feat-sts-session-token-generator-attempt-2

IdanAdar-patch-1

Switch-UBI-to-go-toolset-as-base-image

aws-iam-anywhere

aws-metadata

beach-team

beach-team-fix/beach-team-pipeline

beach/fix-fake-provider

beach/keyvault-set-secret

bh.ss

broken-link

bump/0.8.13

bunp-helm-chart

chart/certcontroller-partial-cache

chore/bump-0.9.2-branch

chore/bump-controller-runtime

chore/refactor-aws-auth

chore/standardize-vault-auth-paths

chore/update-readme-with-vision

cleanup-keys-when-using-template

coderabbitai/docstrings/17d3e22

conversion-webhook-debug

copilot/fix-code-scanning-alerts

copilot/fix-license-header-typographical-errors

copilot/sub-pr-6021

dependabot/go_modules/github.com/onsi/ginkgo-1.15.1

dependabot/go_modules/sigs.k8s.io/controller-runtime-0.8.3

design/decoding-strategy

dev/jsauvain/plugin_ovh_provider

docs/demo-of-devops-toolkit

e2e-test-run

feat/add-log-values-to-helm-chart

feature/aws-getallsecrets

feature/aws-getallsecrets-trim-root-path

feature/configure-promethues-target-port

feature/custom-cert-secret

feature/gcp-referent-auth

feature/keyvault-deletion-policy

feature/new-provider-structure

fix-infisical-404

fix-test

fix/e2e

fix/gcp-issues

fix/kubernetes-access-review-strategy

fix/vault-lint

fix/vault-not-handling-json-values

gc-feat-sts-session-token-generator-attempt-2

gc-fix-update-readme

gc/design/gen-secretstore-v2

gc/fix/ibm

gc/fix/v015.1

gc/rollback-0.15.1

gh-pages

gh-pages-dev

gitlab-validation-refactors

gusfcarvalho-patch-1

main

mj-add-generator

mj-aws-v2-parameterstore-e2e

mj-bump-ubiimg

mj-bumps

mj-design-oopp

mj-e2e-managed-aws-tf

mj-expose-admission-warnings

mj-fix-aws-genereator-auth-cache

mj-fix-dashboard

mj-fix-reko

mj-fix-vault-ref-spec

mj-go-mod

mj-provider-mod

mj-pushsecret-generator-state

mj-test-gcp-m

mj-test-mgmt

mj-v2-poc

mj-v2-poc-2

mj-v2-poc-api-crds

mj-v2-poc-build-targets

mj-v2-poc-charts

mj-v2-poc-ci-licensing

mj-v2-poc-compat-clientmanager

mj-v2-poc-core-wiring

mj-v2-poc-e2e-framework

mj-v2-poc-e2e-generator-suites

mj-v2-poc-e2e-provider-aws

mj-v2-poc-e2e-provider-common

mj-v2-poc-e2e-provider-fake-kubernetes

mj-v2-poc-e2e-provider-gcp

mj-v2-poc-e2e-provider-legacy

mj-v2-poc-final-cleanup

mj-v2-poc-generator-registry

mj-v2-poc-misc-cleanups

mj-v2-poc-module-refresh

mj-v2-poc-provider-adapters

mj-v2-poc-provider-aws

mj-v2-poc-provider-certs

mj-v2-poc-provider-fake

mj-v2-poc-provider-hack

mj-v2-poc-provider-interface

mj-v2-poc-provider-kubernetes

mj-v2-poc-provider-schemes

mj-v2-poc-pushsecret-v2

mj-v2-poc-rebased

mj-v2-poc-runtime-contract

mj-v2-poc-runtime-webhook

mj-v2-poc-store-requeue

poc-workflow

pr-5527

predicate-watch-fix

promote-chart-0.9.11

release-0.10.3-helm-charts

release-0.10.4-helm-charts

release-0.6

release-0.7

release-0.8

release-0.9

release-branch-test-1

release-chart-v0.10.5

release-chart-v0.15.0

release-chart-v0.15.0-2

release-chart-v0.15.0-3

release-helm-2.2.0

release-helm-chart-v0.10.5

release-helm-chart-v0.16.1

release-helm-chart-v0.16.2

release-helm-chart-v0.17.0

release-helm-chart-v0.18.1

release-helm-chart-v0.18.2

release-helm-chart-v0.19.0

release-helm-chart-v0.19.1

release-helm-chart-v0.20.1

release-helm-chart-v0.20.1-2

release-helm-chart-v0.20.1-3

release-helm-chart-v0.20.2

release-helm-chart-v0.20.3

release-helm-chart-v0.20.3-2

release-helm-chart-v0.20.4

release-helm-chart-v1.0.0

release-helm-chart-v1.1.0

release-notes-0.18.0

release-v0.10.6-helm-chart

release-v0.10.6-helm-chart-docs

release-v0.10.7

release-v0.11.0-charts

release-v0.12.1-charts

release-v0.13.0-charts

release-v0.13.0-charts-2

release-v0.14.0-charts

release-v0.14.2-charts

release-v0.14.3-charts

release-v0.14.3-charts-2

release-v0.14.4

revert-662-revert-613-getall-Secrets

sonar-dispatch

test-ca-cert-trouble

test-e2e-no-fork-2

test-e2e-run

test-infra

test-non-fork-e2e-test

update-deps-1679516143

update-deps-1679516914

update-deps-1679517123

update-deps-1679518009

update-deps-1679519068

update-deps-1679520715

update-deps-1679521323

update-deps-1679522475

update-deps-1679524823

update-deps-1679526149

update-deps-1679526150

update-deps-1684144987

update-deps-1684144991

update-deps-1684749783

update-deps-1684749784

update-deps-1685354595

update-deps-1685354598

update-deps-1685959386

update-deps-1685959389

update-deps-1686564186

update-deps-1686564187

update-deps-1687168984

update-deps-1688983412

update-deps-1689588212

update-deps-1689588216

update-deps-1689588218

update-deps-1690192998

update-deps-1690192999

update-deps-1690193006

update-deps-1690797787

update-deps-1690797790

update-deps-1690797793

update-deps-1691402717

update-deps-1692612193

update-deps-1692612200

update-deps-1698660199

update-deps-1699265013

update-deps-1699869789

update-deps-1702893806

update-deps-1703498593

update-deps-1704103390

update-deps-1705313002

update-deps-1705313003

update-deps-1707127435

update-deps-1708337007

update-deps-1708941785

update-deps-1709548582

update-deps-1711361006

update-deps-1728295726

update-deps-1728900214

update-deps-1729505043

update-deps-1730714625

update-deps-1731319410

update-deps-1731924224

update-deps-1733738623

update-deps-1734343423

update-deps-1734948213

update-deps-1735553019

update-deps-1735553021

update-deps-1736157834

update-deps-1736762637

update-deps-1737367411

update-deps-1737367413

update-deps-1737972215

update-deps-1738577008

update-deps-1739181819

update-deps-1739786702

update-deps-1740391424

update-deps-1740996509

update-deps-1741601012

update-deps-1742205840

update-deps-1742810656

update-deps-1744021399

update-deps-1745229858

update-deps-1745836636

update-deps-1746439470

update-deps-1747044270

update-deps-1747649082

update-deps-1748254077

update-deps-1748858663

update-deps-1749463460

update-deps-1750068277

update-deps-1750673073

update-deps-1751277848

update-deps-1751882658

update-deps-1752487463

update-deps-1753092271

update-deps-1753697066

update-deps-1754301928

update-deps-1754906674

update-deps-1755511479

update-deps-1755511483

update-deps-1756116259

update-deps-1762164298

update-deps-1770632590

update-deps-1774261326

update-go-version

update-helm-chart-v0.14.2

update-ibm-docs

update-vault-api

validate-secret-store-gitlab

validate-store-oracle

STSAssumeRoleToken uses sts:AssumeRole to obtain temporary AWS credentials.

Unlike STSSessionToken (which calls GetSessionToken), this generator works with any type of AWS credentials — including temporary session credentials from IRSA / pod identity — making it suitable for on-premises clusters, EKS with IRSA, or any environment where the caller already holds temporary credentials.

When to use STSAssumeRoleToken vs STSSessionToken

Scenario	Generator
Long-term IAM credentials, need MFA enforcement	`STSSessionToken`
Long-term IAM credentials, need to assume a role	`STSAssumeRoleToken`
IRSA / pod identity (temporary credentials) + role assumption	`STSAssumeRoleToken`
IRSA / pod identity, no additional role assumption needed	Use `ECRAuthorizationToken` or provider directly

Output Keys and Values

Key	Description
access_key_id	The access key ID of the assumed role credentials.
secret_access_key	The secret access key of the assumed role credentials.
session_token	The session token required to use the temporary credentials.
expiration	Unix timestamp (seconds) at which the credentials expire. Absent if unknown.

Authentication

You can use either:

Static credentials via spec.auth.secretRef — a Kubernetes Secret containing your long-term IAM access key and secret.
IRSA / service account token via spec.auth.jwt — uses the pod's projected service account token to call AssumeRoleWithWebIdentity, then chains an additional AssumeRole to the target role.

If neither is specified, the AWS SDK default credential chain is used (environment variables, EC2 instance metadata, etc.).

Request Parameters

Field	Description
`requestParameters.sessionDuration`	Duration in seconds for the assumed role session. Range: 900–43200. Default: 3600 (1 hour).
`requestParameters.externalID`	External ID for cross-account role assumption. Required when the role trust policy enforces it.

Example Manifest

{% include 'generator-stsassumerole.yaml' %}

Example ExternalSecret that references the STSAssumeRoleToken generator:

{% include 'generator-stsassumerole-example.yaml' %}

stsassumerole.md 2.7 KB لینک دائمی تاريخچه خام

When to use STSAssumeRoleToken vs STSSessionToken

Output Keys and Values

Authentication

Request Parameters

Example Manifest

stsassumerole.md 2.7 KB

لینک دائمی تاريخچه خام