Knowledge Base

ALB Controller Auth Annotations

View full discussion in GitHub

Answer

I am experiencing a permissions issue with the `aws-alb-ingress-controller` when adding ingress annotations to my k8s service. I want to apply [auth annotations](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/#authentication) to the ingress so the ALB will perform auth with OIDC. I've verified the ingress and service is in the same namespace and have configured the annotations like so: ``` ingress_annotations = { "alb.ingress.kubernetes.io/auth-type" = "oidc", "alb.ingress.kubernetes.io/auth-idp-oidc" = jsonencode({ "issuer" = "https://auth.example.com/", "authorizationEndpoint" = "https://auth.example.com/authorize", "tokenEndpoint" = "https://auth.example.com/oauth/token", "userInfoEndpoint" = "https://auth.example.com/userinfo", "secretName" = "auth0-example" }), "alb.ingress.kubernetes.io/auth-scope" : "openid profile email" } ``` Yet I get the following error message when I inspect the controller logs: ``` { "level":"error", "ts":1657149857.8069274, "logger":"controller-runtime.manager.controller.ingress", "msg":"Reconciler error", "name":"sample-app-frontend-example-env", "namespace":"app", "error":"ingress: app/sample-app-frontend-example-env: secrets \"auth0-example\" is forbidden: User \"system:serviceaccount:kube-system:aws-alb-ingress-controller\" cannot get resource \"secrets\" in API group \"\" in the namespace \"app\"" } ``` How can I get the ingress controller to pick up the secret needed to configure auth on the ALB? [r:terraform-aws-service-catalog](https://github.com/gruntwork-io/terraform-aws-service-catalog) [r:helm-kubernetes-services](https://github.com/gruntwork-io/helm-kubernetes-services)

We don't have explicit support for this in the modules, but a workaround would be to directly create an RBAC role that allows access to secrets in that namespace, and bind it to the ingress controller service account. You can do this by either creating a Kubernetes manifest file and using `kubectl apply -f`, or a Terraform module that uses the `kubernetes` provider. Separately, I have filed https://github.com/gruntwork-io/terraform-aws-service-catalog/issues/1596 to track the feature enhancement to support doing this through our modules.