Questions regarding the AWS Secrets Manager feature with Authentication

[zm-alex]

Hi KEDA community, thanks so much for the great effort you have put in this tool.

I wanted to ask regarding the new feature that allows to retrieve secrets from AWS Secrets Manager to be used for authentication: https://keda.sh/docs/2.13/concepts/authentication/#aws-secret-managers

The feature has been great!

I wanted to know if this feature has support to specify an AWS account? - For my use case, I will have the secrets stored in one AWS account, at one single region. Then my EKS clusters from separate accounts and regions can retrieve the secret from one central place instead of having to replicate the secrets across AWS accounts and regions.

Another question is if we can specify a key inside the secret retrieve? - From my assumption, how the feature works is that I will need two separate AWS Secrets Manager resources if I have username and password, the values of the secrets will have to be plain text. Will it support to have one AWS Secrets Manager resource and inside the secret I specify a key and value for username, key and value for password?

Thanks for your time!

[JorTurFer]

I wanted to know if this feature has support to specify an AWS account? - For my use case, I will have the secrets stored in one AWS account, at one single region. Then my EKS clusters from separate accounts and regions can retrieve the secret from one central place instead of having to replicate the secrets across AWS accounts and regions.

Yeah, you should be able. If you are using aws pod identity, you could need to set the region in the trigger authentication because KEDA will use default region if you don't override it in the triggerauthenticaiton, but it should work (and please open an issue if it doesn't to fix it)

Another question is if we can specify a key inside the secret retrieve? - From my assumption, how the feature works is that I will need two separate AWS Secrets Manager resources if I have username and password, the values of the secrets will have to be plain text. Will it support to have one AWS Secrets Manager resource and inside the secret I specify a key and value for username, key and value for password?

You can just read from one Secret Manager at once, reading multiple key/values from it. (Or maybe I've not got your question)

[zm-alex]

Yeah, you should be able. If you are using aws pod identity, you could need to set the region in the trigger authentication because KEDA will use default region if you don't override it in the triggerauthenticaiton, but it should work (and please open an issue if it doesn't to fix it)

@JorTurFer thanks for the answer! Yes, I am using aws pod identity.

Do you happen to have a working example on how can I specify a different AWS account in the TriggerAuthentication using the AWS Secrets Manager? I know the region could be set but I don't see a parameter to pass in a different AWS account.

CC: @geoffrey1330

[JorTurFer]

Could you share your TriggerAuthentication?

[zm-alex]

apiVersion: keda.sh/v1alpha1
kind: ClusterTriggerAuthentication
metadata:
  name: keda-credentials
spec:
  awsSecretManager:
    podIdentity:
      provider: aws
    region: {{ .Values.credentials.awsSecretsManager.region }}
    secrets:
      - parameter: username
        name: {{ .Values.credentials.awsSecretsManager.userPath }}
      - parameter: password
        name: {{ .Values.credentials.awsSecretsManager.passwordPath }}

For the secrets, I will provide the AWS Secrets Manager Path.

For the keda-operator SA, we have the following annotation with the AWS IAM role that has access to the AWS secrets manager path

Name:                keda-operator
Namespace:           keda
Labels:              app.kubernetes.io/component=operator
                     app.kubernetes.io/instance=keda
                     app.kubernetes.io/managed-by=Helm
                     app.kubernetes.io/name=keda-operator
                     app.kubernetes.io/part-of=keda-operator
                     app.kubernetes.io/version=2.13.0
                     argocd.argoproj.io/instance=keda
                     helm.sh/chart=keda-2.13.1
Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::00000000:role/EKS_KEDAOperator

[JorTurFer]

I'm checking the SDK and I don't see any place where I can set the SecretManager account. Do you know if the SDK supports it @geoffrey1330 ?

[geoffrey1330]

I will have to make some quick research around this.

[JorTurFer]

@geoffrey1330 , did you see something?

[miguelzenteno]

I have a similar question.

Instead of doing sending an accessKey and accessSecretKey:

awsSecretManager:
  podIdentity:                                     # Optional.
    provider: aws                                  # Required.
  credentials:                                     # Optional.
    accessKey:                                     # Required.
      valueFrom:                                   # Required.
        secretKeyRef:                              # Required.
          name: {k8s-secret-with-aws-credentials}  # Required.
          key: {key-in-k8s-secret}                    # Required.
    accessSecretKey:                               # Required.
      valueFrom:                                   # Required.
        secretKeyRef:                              # Required.
          name: {k8s-secret-with-aws-credentials}  # Required.
          key: {key-in-k8s-secret}               # Required.
  region: {aws-region}                             # Optional.
  secrets:                                         # Required.
  - parameter: {param-name-used-for-auth}          # Required.
    name: {aws-secret-name}                        # Required.
    version: {aws-secret-version}                  # Optional.

could I just send the IRSA (IAM Role) like this?

awsSecretManager:
  podIdentity:                                     # Optional.
    provider: aws                                  # Required.
    roleArn: <role-arn>                         # Optional. Mutually exclusive with 'credentials' (if set)
  region: {aws-region}                             # Optional.
  secrets:                                         # Required.
  - parameter: {param-name-used-for-auth}          # Required.
    name: {aws-secret-name}                        # Required.
    version: {aws-secret-version}                  # Optional.

[JorTurFer]

I don't get the question. You can already use IRSA just setting:

awsSecretManager:
  podIdentity:
    provider: aws 

This will use KEDA's identity to access the Secret Manager. roleArn is used for overriding the provided value via KEDA role

[JorTurFer]

I mean, you don't need to use accessKey and accessSecretKey if you don't want to use it. The original question was related with setting a secret manager on a different account