Comments (5)
I've resolved the error by adjusting the trust relationships in the IAM. As a result, the access denied issue has been successfully addressed. However now i am getting below error.
e.g.,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxx:oidc-provider/oidc.eks.xxx-1.amazonaws.com/id/xxxxx"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.xxxx.amazonaws.com/id/xxxx:sub": "system:serviceaccount:cert-manager:cert-manager"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxx:role/cert-manager"
},
"Action": "sts:AssumeRole"
}
]
}
E0325 18:58:02.592653 1 sync.go:190] "propagation check failed" err="NS ns-512.awsdns-00.net.:53 returned REFUSED for _acme-challenge.stage-keycloak.xxx.xxx.com." logger="cert-manager.challenges" resource_name="stage-keycloak.tage-keycloak.xxx.xxx-1647614373" resource_namespace="keycloak" resource_kind="Challenge" resource_version="v1" dnsName="stage-keycloak.xxxl.xxx.com" type="DNS-01"
from cert-manager.
The logs from the certificate manager display the following error stack traces
E0325 02:12:23.998103 1 sync.go:126] "Failed to determine the list of Challenge resources needed for the Order" err="no configured challenge solvers can be used for this challenge" logger="cert-manager.orders" resource_name="stage-keycloak.xxxx.xxxx-2242030729" resource_namespace="keycloak" resource_kind="Order" resource_version="v1"
E0325 02:12:24.035530 1 sync.go:126] "Failed to determine the list of Challenge resources needed for the Order" err="no configured challenge solvers can be used for this challenge" logger="cert-manager.orders" resource_name="stage-stage-keycloak.xxxx.xxxx-2242030729" resource_namespace="keycloak" resource_kind="Order" resource_version="v1"
E0325 02:12:24.036247 1 controller.go:167] "re-queuing item due to error processing" err=<
error instantiating route53 challenge solver: unable to assume role: AccessDenied: User: arn:aws:sts::9xxxx2:assumed-role/cert-manager/1711332743998839274 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::9xxxxx2:role/cert-manager
status code: 403, request id: f60496bf-f21d-415e-9d8f-bee17dd2fd01
from cert-manager.
The name of the service account for the 'cert-manager' installed by Helm is 'cert-manager-controller'. You need to change the binding service account to 'cert-manager-controller'
from cert-manager.
@leganck - I've noticed that the service account name defaults to 'cert-manager,' but would you recommend changing it to 'cert-manager-controller' in this context?
JFYR,
❯ k get sa -n cert-manager
NAME SECRETS AGE
aws-privateca-issuer-sa 0 20d
cert-manager 0 12h
cert-manager-cainjector 0 12h
cert-manager-webhook 0 12h
default 0 20d
❯ k get sa -n cert-manager cert-manager -o yaml
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::9xxxxx2:**role/cert-manager**
meta.helm.sh/release-name: cert-manager
meta.helm.sh/release-namespace: cert-manager
creationTimestamp: "2024-03-25T00:41:24Z"
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.14.4
helm.sh/chart: cert-manager-v1.14.4
helm.toolkit.fluxcd.io/name: cert-manager
helm.toolkit.fluxcd.io/namespace: cert-manager
name: cert-manager
namespace: cert-manager
resourceVersion: "15982674"
uid: d0e4c9fb-1e64-43c2-8002-f0d488e63157
❯ k get deploy -n cert-manager cert-manager -o yaml | grep -i service
enableServiceLinks: false
serviceAccount: cert-manager
serviceAccountName: cert-manager
from cert-manager.
Good to see you are making progress.
I'll close this issue and we can continue in #6874.
from cert-manager.
Related Issues (20)
- configure cert-manager ClusterIssuer/Issuer in k8s cluster with CA certificate stored in Azure Key Vault HOT 2
- How About Graduating the Gateway API Support to GA? HOT 4
- Akamai Edge DNS - Support for "Account Switch Key" in DNS01 Solver
- Not able to generate .p12 certificates by cert-manager HOT 2
- Helm chart support dual stuck clusters
- Allow client-side rate-limiting to be disabled
- Does cert-manager support issuers from paid certificate authorities? HOT 1
- Not able to set the default ingressClassName when user creates issuer using class tag. HOT 5
- Venafi Certificate Valid Date
- Adding custom annotation to cm ingress resources HOT 2
- clusterlint claims that webhook timeoutSeconds of 30 is too high HOT 2
- Make Route53 dns01 work with EKS pod identity HOT 1
- Securing Gateway in GKE is failing
- Preselection in field Server not accepted on save. Manual selection required
- add template for creating cluster issuer and issuer HOT 3
- Certificate resource not updated after ingress annotation is changed HOT 1
- Should upgrade status managed fields from CSA to SSA when ServerSideApply feature gate enabled HOT 2
- Missing `cmctl` and `kubectl-cert_manager` binaries in GitHub releases HOT 5
- Incomplete regular expression for hostnames HOT 3
- cert manager not issuing certs for one ingress (in work queue no longer exists) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager.