Kubernetes - ExternalSecret is not authorized to perform:secretsmanager:GetSecretValue

After I create a EKS from AWS Console, I install external-secret using Helm. I pretty sure my IAM role and policy are correct. But I still can’t get secretsmanager. It turns out that it needs a IDP(Identity Provider).

ERROR, User: arn:aws:sts::xxx:assumed-role/test-cluster-NodeRole/i-0b5ab8adzzzf27a1b is not authorized to perform: secretsmanager:GetSecretValue on resource: sm_rammus because no identity-based policy allows the secretsmanager:GetSecretValue action

I’m sure my IAM json is correct.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/OIDC_PROVIDER"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "OIDC_PROVIDER:sub": "system:serviceaccount:SERVICE_ACCOUNT_NAMESPACE:SERVICE_ACCOUNT_NAME"
        }
      }
    }
  ]
}

I found out that miss a us-east-1 IDP.

Create a new IDP, and fill:

• URL: Copy from EKSOpenID Connect provider URL
• Audience: sts.awazonaws.com

Reference

• https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
• https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html