I am trying out the recently added SSM support (thank you @tmxak), however, the examples in the README are not working for me. I installed via helm, overriding the image tag to be 1.3.1 since the chart still installs 1.2.0 by default
Using the commands and files from the readme as-is and I see the following in the logs
{"level":30,"time":1564662741812,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"loading kube specs","v":1} {"level":30,"time":1564662742016,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"successfully loaded kube specs","v":1} {"level":30,"time":1564662742016,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"updating CRD","v":1} {"level":30,"time":1564662742016,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"Upserting custom resource externalsecrets.kubernetes-client.io","v":1} {"level":30,"time":1564662742088,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"successfully updated CRD","v":1} {"level":30,"time":1564662742088,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"starting app","v":1} Thu, 01 Aug 2019 12:32:22 GMT kubernetes-client deprecated .getStream see https://github.com/godaddy/kubernetes-client/blob/master/merging-with-kubernetes.md at lib/external-secret.js:40:10 {"level":30,"time":1564662742091,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"successfully started app","v":1} {"level":30,"time":1564662842812,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"spinning up poller {\"id\":\"a4e32d63-b458-11e9-97b5-0ed027fcb918\",\"namespace\":\"tmp-jst\",\"secretDescriptor\":{\"backendType\":\"systemManager\",\"data\":[{\"key\":\"/hello-service/password\",\"name\":\"password\"}],\"name\":\"hello-service\"},\"ownerReference\":{\"apiVersion\":\"kubernetes-client.io/v1\",\"controller\":true,\"kind\":\"ExternalSecret\",\"name\":\"hello-service\",\"uid\":\"a4e32d63-b458-11e9-97b5-0ed027fcb918\"}}","v":1} {"level":30,"time":1564662842815,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"starting poller","v":1} {"level":30,"time":1564662852820,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"running poll","v":1} {"level":30,"time":1564662852821,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"fetching secret property password","v":1} {"level":50,"time":1564662853292,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","msg":"failure while polling the secrets","v":1} {"level":50,"time":1564662853292,"pid":18,"hostname":"infra-kubernetes-external-secrets-5879f96844-jj8lz","type":"Error","stack":"ParameterNotFound: null\n at Request.extractError (/app/node_modules/aws-sdk/lib/protocol/json.js:51:27)\n at Request.callListeners (/app/node_modules/aws-sdk/lib/sequential_executor.js:106:20)\n at Request.emit (/app/node_modules/aws-sdk/lib/sequential_executor.js:78:10)\n at Request.emit (/app/node_modules/aws-sdk/lib/request.js:683:14)\n at Request.transition (/app/node_modules/aws-sdk/lib/request.js:22:10)\n at AcceptorStateMachine.runTo (/app/node_modules/aws-sdk/lib/state_machine.js:14:12)\n at /app/node_modules/aws-sdk/lib/state_machine.js:26:10\n at Request.<anonymous> (/app/node_modules/aws-sdk/lib/request.js:38:9)\n at Request.<anonymous> (/app/node_modules/aws-sdk/lib/request.js:685:12)\n at Request.callListeners (/app/node_modules/aws-sdk/lib/sequential_executor.js:116:18)","message":null,"code":"ParameterNotFound","time":"2019-08-01T12:34:13.289Z","requestId":"6a949ea3-ef3d-4bca-89fe-aa47c309c4b8","statusCode":400,"retryable":false,"retryDelay":58.61510348117784,"msg":null,"v":1}
The parameter exists
aws ssm get-parameter --name "/hello-service/password"
{ "Parameter": { "Name": "/hello-service/password", "Type": "String", "Value": "1234", "Version": 2, "LastModifiedDate": 1564664235.796, "ARN": "arn:aws:ssm:us-east-1:XXXX:parameter/hello-service/password" } }
I confirmed the IAM role is working by revoking it's access to ssm:GetParameter which results in the following in the external-secrets logs
.
"msg":"User: arn:aws:sts::XXXX:assumed-role/k8s-parameter_store_readonly/kiam-kiam is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:XXXX:parameter/hello-service/password"