feat(aws): allow custom endpoints for aws services (#602)

* allow custom endpoints for aws services Signed-off-by: S.Cavallo <[email protected]> * camel case variables Signed-off-by: S.Cavallo <[email protected]> * documentation for custom endpoints Signed-off-by: smcavallo <[email protected]>
external-secrets · Feb 1, 2021 · 03f5c65 · 03f5c65
1 parent 7618898
commit 03f5c65
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -79,6 +79,12 @@ Access to AWS secrets backends (SSM & secrets manager) can be granted in various
 
 4. Directly provide AWS access credentials to the `kubernetes-external-secrets` pod by environmental variables.
 
+5. Optionally configure custom endpoints using environment variables
+    * [AWS_SM_ENDPOINT](https://docs.aws.amazon.com/general/latest/gr/asm.html) - Useful to set endpoints for FIPS compliance.
+    * [AWS_STS_ENDPOINT](https://docs.aws.amazon.com/general/latest/gr/sts.html) - Useful to set endpoints for FIPS compliance or regional latency.
+    * [AWS_SSM_ENDPOINT](https://docs.aws.amazon.com/general/latest/gr/ssm.html) - Useful to set endpoints for FIPS compliance or custom VPC endpoint.
+
+
 ##### Using AWS access credentials
 
 Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars in the `kubernetes-external-secrets` session/pod.

diff --git a/charts/kubernetes-external-secrets/values.yaml b/charts/kubernetes-external-secrets/values.yaml
@@ -26,6 +26,10 @@ env:
   # Set a role to be used when assuming roles specified in external secret (AWS only)
   # AWS_INTERMEDIATE_ROLE_ARN:
   # GOOGLE_APPLICATION_CREDENTIALS: /app/gcp-creds/gcp-creds.json
+  # Use custom endpoints for FIPS compliance
+  # AWS_STS_ENDPOINT: https://sts-fips.us-east-1.amazonaws.com
+  # AWS_SSM_ENDPOINT: http://ssm-fips.us-east-1.amazonaws.com
+  # AWS_SM_ENDPOINT: http://secretsmanager-fips.us-east-1.amazonaws.com
 
 # Create environment variables from existing k8s secrets
 # envVarsFromSecret:

diff --git a/config/aws-config.js b/config/aws-config.js
@@ -18,13 +18,29 @@ const localstack = process.env.LOCALSTACK || 0
 
 const intermediateRole = process.env.AWS_INTERMEDIATE_ROLE_ARN || 0
 
+const stsEndpoint = process.env.AWS_STS_ENDPOINT || 0
+const ssmEndpoint = process.env.AWS_SSM_ENDPOINT || 0
+const smEndpoint = process.env.AWS_SM_ENDPOINT || 0
+
 let secretsManagerConfig = {}
 let systemManagerConfig = {}
 let stsConfig = {
   region: process.env.AWS_REGION || 'us-west-2',
   stsRegionalEndpoints: process.env.AWS_STS_ENDPOINT_TYPE || 'regional'
 }
 
+if (smEndpoint) {
+  secretsManagerConfig.endpoint = smEndpoint
+}
+
+if (ssmEndpoint) {
+  systemManagerConfig.endpoint = ssmEndpoint
+}
+
+if (stsEndpoint) {
+  stsConfig.endpoint = stsEndpoint
+}
+
 if (localstack) {
   secretsManagerConfig = {
     endpoint: process.env.LOCALSTACK_SM_URL || 'http://localhost:4584',