feat: Add support for AWS Secrets Manager #151
Conversation
| ] | ||
| effect = "Allow" | ||
| resources = var.secret_manager_arn == "" || var.secret_manager_arn == null ? ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:*"] : [var.secret_manager_arn] | ||
| } |
There was a problem hiding this comment.
Hmm is there a better default here than allowing access to all secret managers? It looks like the default we are setting for the other policies is ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.node.name}"]
There was a problem hiding this comment.
I think limitations are based on the secret, not the secret manager (you can think of the secret manager as some service you can't control)
Our secrets are prefixed, so maybe we can change to:
"arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${prefix}-*"
from:
"arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:*"
There was a problem hiding this comment.
Got it. Yeah we need some way to make this a no-op so that we don't give installs access to all secrets. Maybe just put in some junk for the prefix? cc: @gls4 if you have any better ideas here. It be nice to refactor this at some point to not provision the policy at all in the case that no secret manager arn is present.
There was a problem hiding this comment.
For simplicity, maybe we can just enforce that the prefix is non-null (or hardcode it as wandb-secret)
I don't think we use the Secret Manager for anything else atm, but maybe in future?
There was a problem hiding this comment.
This is not correct. Please see https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html.
Access to SECRETS needs to be scoped to the cluster, and only for PUT, GET, UPDATE, DELETE operations. There is no need to provide the additional permissions. Moreover, we cannot allow one customer's cluster to read the secrets from another customer, so permissions have got to be scoped correctly from the start.
As for not provisioning the policy in the absence of the arn -- we need to do that now.
There was a problem hiding this comment.
modified permission to be more tightly scoped
modules/app_eks/iam-policy-docs.tf
Outdated
| "secretsmanager:*", | ||
| ] | ||
| effect = "Allow" | ||
| resources = var.secret_manager_arn == "" || var.secret_manager_arn == null ? ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:*"] : [var.secret_manager_arn] |
There was a problem hiding this comment.
Instead of checking for an empty string or null, we should be checking for the appropriate ARN pattern using a regex. This is done in the variable declaration in a validation block. Although validation is not appropriate for some cases, here it is preferred to the proposed solutions because ARNs are of a static and known format. An empty string won't meet the format requirement, which means we only need to check for null.
There was a problem hiding this comment.
modified to just do the regex check with prefix
| ] | ||
| effect = "Allow" | ||
| resources = var.secret_manager_arn == "" || var.secret_manager_arn == null ? ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:*"] : [var.secret_manager_arn] | ||
| } |
There was a problem hiding this comment.
This is not correct. Please see https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html.
Access to SECRETS needs to be scoped to the cluster, and only for PUT, GET, UPDATE, DELETE operations. There is no need to provide the additional permissions. Moreover, we cannot allow one customer's cluster to read the secrets from another customer, so permissions have got to be scoped correctly from the start.
As for not provisioning the policy in the absence of the arn -- we need to do that now.
|
Nice work @andrewtruong! Last question: you've applied these changes to a local instance, and they work? |
Yep, tested on a fresh 0.46.0 instance |
## [3.4.0](v3.3.0...v3.4.0) (2023-11-13) ### Features * Add support for AWS Secrets Manager ([#151](#151)) ([aa64eb1](aa64eb1))
|
This PR is included in version 3.4.0 🎉 |
Adds support for AWS Secret Manager and W&B Secrets using that backend
Tested webhooks e2e on a fresh instance