-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow assuming multiple web identity roles #597
Comments
As an alternative to creating multiple web identities to associate with the controller process POD, a new "assume role" capability could be added, see #606. This would present the advantage that new roles can be created as new resources are enabled without any re-deploy or update to the provider controller pod. E.g. (repeated here for clarity) a provider config with specific roles:
|
Revisiting this so that my musings in Slack are not lost 😃 I think a combination of role assumption using First-off, you need a credential of some sort to be able to assume a role - with The role identifier in the We currently call
Authorization flow would be as follows: With
With
With
With both
Thoughts on this? I don't think the implementation is remotely as complex as the explanation here, but it would be good if we could simplify this further (e.g. rule out using both Happy to work on this as I've been poking around this stuff already but I'd like to confirm my thinking around the approach is sound before I go further. |
I am interested in @benagricola 's second scenario above:
I have a situation where we can allow other account's IDPs to trust our K8s cluster's OIDC provider but we cannot use sts chaining on roles due to a explicit boundary limitation. You can see that the suggestion given in the aws pod identity webhook comments thread does work inside my provider pod once the IDP trust to to the oidc is setup:
What is the current workaround? To have multiple aws providers? |
@jessesanford does the new functionality @haarchri introduced in #912 that has now been included in |
Doesn't this imply an STS Assumption as when the controller connects to the Amazon api in the client account before it starts managing resources? From what I see in the code this is an AssumeRole call and not an AssumeRoleWithWebIdentity which would be exchanging the original jwt token for the role. While we can get our client accounts setup with an IDP that trusts the k8s server hosting crossplane, we cannot use cross account role trusts for sts chaining. |
@jessesanford I just ran into this issue where I needed to add on AccountA role:
and on AccountB role:
first part of this second statement should be enough if switched from |
if I fully comprehend the limitation then most likely what would need to happen is, in these cases where adding all these role trusts is a bit unwieldy the better solution would be to create multiple This would just require the (This is all only necessary if @benagricola 's solution couldn't be implemented which would leverage the single Deployment). |
@nabuskey and I have been working on similar solutions here: #1258 and here: nabuskey/provider-aws@master...nabuskey:feature/oidc-assume-role if anyone wants to take a look. |
…77e5db7994 Consume upjet with custom metrics
What problem are you facing?
A number of
provider-aws
users make use of the IRSA authentication flow to allow the provider to authenticate to AWS. This is a useful pattern, but restricts the providerPod
to only assuming one role because the EKS Pod Identity Webhook injects this role based on thePod
ServiceAccount
, and hardcodes the environment variables that point to the volume mount, and we hardcode accessing them.How could Crossplane help solve your problem?
Users can choose to manually specify environment variables with multiple ARNs and specific mount paths. In the linked example, two different containers are making use of the same SA token mount, but using different ARNs. Crossplane users may define additional environment variables on their provider containers using the
ControllerConfig
. This means that if we added a field to theprovider-aws
ProviderConfig
that allowed for theInjectedIdentity
source to be customized with something likeoverrideARNEnvVar
, users could have a single providerPod
assume multiple roles using a single SA.The text was updated successfully, but these errors were encountered: