[EKS] [request]: Open source EKS Pod Identity agent

[georgejohnis]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Amazon EKS recently launched EKS Pod Identity, a new feature that simplifies how IAM credentials can be granted to pods running on EKS clusters. See [1] and [2] to learn more about the feature. Pod Identity feature requires an agent (called EKS Pod Identity Agent) to be running on every worker node to help exchange JWT tokens for temporary IAM credentials. This agent is made available to customers today as an EKS Add-on. This request is to open source the agent source code so that users can bake the agent as part of the worker node AMI or use Helm to install the agent. Please vote and/or provide feedback if you have a use case/need for the agent to be open sourced.

[1] What's new post
[2] EKS Docs

Which service(s) is this request for?
EKS

[csantanapr]

Can the agent run on the control plane?

[infa-ddeore]

can you release helm chart for the agent?

[r5sec5cyl]

My organization (a large enterprise in the financial services sector) will be able to increase the applicable use cases for EKS substantially, probably doubling our usage of EKS, by switching to Pod Identity Agent from IRSA. To make the switch, we need to be able to deploy any services, including any add-ons like this one, matching our configuration requirements. This change would enable us to use the add-on and expand our covered use cases.

[rubroboletus]

Why The EKS Pod Identity Agent doesn't use the service-account-role-arn for IAM roles for service accounts and you must provide the EKS Pod Identity Agent with permissions in the node role?