Conversation
There was a problem hiding this comment.
@jroper I added a few little comments.
Additionally I wanted to test the full setup by creating my own service with an AWS secret. I found the aws-us-east-2 region in our dev environment, but it doesn't have a workload identity configured. How did you test it?
| |Field |Type |Description | ||
|
|
||
| |*name* |string _required_ |The name of the object. For Secrets Manager this is the SecretId parameter and can either be the friendly name or full ARN of the secret. For SSM Parameter Store, this is the name of the parameter and can be either the name or full ARN of the parameter. | ||
| |*type* |string |The ID of the tenant that the KeyVault is in. Optional if an ARN was specified in name, required otherwise. |
There was a problem hiding this comment.
Could this be a copy-paste mistake?
The ID of the tenant that the KeyVault is in.
After checking the akka_secrets_external_create_aws.adoc file, I'd recommend replacing it with something like
The type of the object, either secretsmanager or ssmparameter.
|
|
||
| [source, command window] | ||
| ---- | ||
| export AKKA_OIDC_ISSUER=$(akka secrets external info -o go-template='{{(index .Items 0).WorkloadIdentity.Aws.OidcIssuer}}'} |
There was a problem hiding this comment.
export AKKA_OIDC_ISSUER=$(akka secrets external info -o go-template='{{(index .Items 0).WorkloadIdentity.Aws.OidcIssuer}}'}There's a } at the end. It should be a ) instead:
export AKKA_OIDC_ISSUER=$(akka secrets external info -o go-template='{{(index .Items 0).WorkloadIdentity.Aws.OidcIssuer}}')|
|
||
| [source, command window] | ||
| ---- | ||
| akka service deploy $AKKA_SERVICE_NAME |
There was a problem hiding this comment.
Can we add a \ at the end of the first line. My Shell executed akka service deploy $AKKA_SERVICE_NAME alone, then failed on the second line.
| -- | ||
| CLI:: | ||
| + | ||
| Use the `akka secret external aws create` command. |
There was a problem hiding this comment.
The PR uses:
akka secret external aws createakka secret external aws update
The CLI reference (akka_secrets_external_create_aws.adoc) documents:
akka secrets external create awsakka secrets external update aws
| [source, command line] | ||
| ---- | ||
| akka secret external aws create my-external-secret \ <1> | ||
| --object-name arn:aws:secretsmanager::$AWS_ACCOUNT_ID:secret:my-secret-QNTAHI \ <2> |
There was a problem hiding this comment.
--object-name arn:aws:secretsmanager::$AWS_ACCOUNT_ID:secret:my-secret-QNTAHI
Secrets Manager is a regional service.
ARNs include the region: arn:aws:secretsmanager:REGION:ACCOUNT_ID:secret:NAME. The region field is empty here. Should likely be:
--object-name arn:aws:secretsmanager:$AWS_REGION:$AWS_ACCOUNT_ID:secret:my-secret-QNTAHI
@girdharshubham we still don't have OIDC configuration in aws-us-east-2 on dev. Can we have that added? |
Done with this PR |
3 participants
No description provided.