Skip to content

[Feature] Allow specification of IAM permission boundary for Auto Mode's Node Role #8305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
amdonov opened this issue Mar 21, 2025 · 2 comments
Open

[Feature] Allow specification of IAM permission boundary for Auto Mode's Node Role #8305

amdonov opened this issue Mar 21, 2025 · 2 comments
Labels
kind/feature New feature or request stale

Comments

@amdonov
Copy link
Contributor

amdonov commented Mar 21, 2025

Currently, most IAM roles in eksctl support either referencing existing roles or specifying permission boundaries when creating new ones, but autoModeConfig lacks this capability. This forces customers with permission boundary requirements to:

  1. Create the auto mode node role in advance, outside the cluster creation flow
  2. Reference it via nodeRoleARN in their configuration

Adding a permissionBoundaryARN parameter under autoModeConfig would eliminate this extra step and allow the role to be managed directly through the cluster's CloudFormation stack, maintaining the infrastructure-as-code approach.

Current Limitation
In EKS Auto Mode, when using eksctl to create clusters, the IAM permissions boundary feature that exists for other roles isn't available for autoModeConfig. This creates inconsistency in how IAM roles are managed across the tool.

Proposed Solution
Add a permissionBoundaryARN parameter to the autoModeConfig section of the eksctl ClusterConfig specification. This would allow users to specify an IAM permission boundary ARN that would be applied when creating the auto mode node role.

Example implementation in the ClusterConfig:

autoModeConfig:
  # Existing parameters
  enabled: true
  # New parameter
  permissionBoundaryARN: arn:aws:iam::111122223333:policy/my-permission-boundary

This enhancement would align with AWS best practices for IAM permissions management and make eksctl more consistent in its handling of IAM roles. It would also make it easier for organizations that use permission boundaries as part of their security controls to adopt EKS Auto Mode.
@amdonov amdonov added the kind/feature New feature or request label Mar 21, 2025
@github-actions GitHub Actions
Copy link
Contributor

Hello amdonov 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

amdonov pushed a commit to amdonov/eksctl that referenced this issue Mar 21, 2025
eksctl-io#8305 Allow specification of IAM permission boundary for Aut…
2bc740d 
…o Mode's Node Role
@amdonov amdonov mentioned this issue Mar 21, 2025
Merged
7 tasks
@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the stale label Apr 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature New feature or request stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amdonov