How can I use EC2 instance profiles (turn off using a ServiceAccount)?

[brsolomon-deloitte]

./kes-to-eso generate \
    --kes-deployment-name external-secrets-kubernetes-external-secrets \
    -i kes_files -o kestoeso_output \
    --kes-namespace adega

WARN[0004] Failed to Install AWS Backend Specific configuration: could not find aws credential information (secrets or sa with role-arn annotation) on kes deployment. Make sure you have set up Controller Pod Identity or manually edit SecretStore before applying it

I don't want to use a Secret or annotated ServiceAccount - I want to use the IAM role attached to EKS worker nodes, which has always been sufficient for ESO itself. Will kes-to-eso allow me to do that, and if so, how?

[brsolomon-deloitte]

To be clear, the IAM Role attached to EKS nodes has full access to secretsmanager:*. We are forbidden from using IAM roles for service accounts.

[moolen]

kes-to-eso can't set up the SecretStore for you when you use EC2 instance profiles. You need to manually change the SecretStore so it works for your use-case. I think you just need to set the spec.aws.region in the SecretStore, everything else should be handled through the default credentials chain).

[brsolomon-deloitte]

kes-to-eso can't set up the SecretStore for you when you use EC2 instance profiles.

But does ./kes-to-eso generate require a SecretStore object to exist? The readme could make it clearer if an existing ESO deployment is required to run all subcommands of the binary.

[moolen]

But does ./kes-to-eso generate require a SecretStore object to exist?

It creates a (Cluster)SecretStore for you and stores it in a local directory.