IAM controller: create a role suitable for IRSA

[james-callahan]

Is your feature request related to a problem? When using the IAM controller, I expect to be able to create an IAM role suitable for use with IRSA

This would involve creation of an assumeRolePolicyDocument of something like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789:oidc-provider/myoidcprovider.example.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "myoidcprovider.example.com:sub": "system:serviceaccount:mynamespace:myserviceaccount"
                }
            }
        }
    ]
}

Describe the solution you'd like

1. Instead of providing a opaque json/yaml blob for assumeRolePolicyDocument, have an (optional) kubernetes native form. e.g.

   apiVersion: iam.services.k8s.aws/v1alpha1
   kind: Role
   metadata:
     name: myrole
   spec:
     name: myrole
     assumeRolePolicy:
       - sid: "" # should also be the default if absent
         effect: allow
         principal:
           type: federated
           value: arn:aws:iam::123456789:oidc-provider/myoidcprovider.example.com
         actions:
           - sts:AssumeRoleWithWebIdentity
         conditions:
           - test: StringEquals
             variable: myoidcprovider.example.com:sub
             values:
               - system:serviceaccount:mynamespace:myserviceaccount

2. Enhance FieldExport to be more like kustomize replacements, supporting:

   • multiple targets
   • delimiter and index

   This enhancement is possibly related to https://github.com/aws-controllers-k8s/community/issues/1417

   e.g.

   apiVersion: iam.services.k8s.aws/v1alpha1
   kind: Role
   metadata:
     name: myrole
   spec:
     name: myrole
     assumeRolePolicy:
       - effect: allow
         principal:
           type: federated
           value: # to be filled in by `FieldExport`
         actions:
           - sts:AssumeRoleWithWebIdentity
         conditions:
           - test: StringEquals
             variable: :sub # to be filled in by `FieldExport`
             values:
               - system:serviceaccount:mynamespace:myserviceaccount
   ---
   apiVersion: services.k8s.aws/v1alpha1
   kind: FieldExport
   metadata:
     name: myrole-oidc
   spec:
     from:
       resource:
         kind: OpenIDConnectProvider
         name: myoidcprovider
         path: .ackResourceMetadata.arn
     targets:
       - select:
           kind: Role
           name: myrole
         fieldPaths:
           - spec.assumeRolePolicy.0.principal.value
       - select:
           kind: Role
           name: myrole
           fieldPaths:
             - spec.assumeRolePolicy.0.conditions.0.variable
           options:
             delimiter: ":"
             # index defaults to 0

Describe alternatives you've considered

• assumeRolePolicyDocument could be a templatable string?
• variant of Role explicitly made for this purpose that can reference an OIDCProvider

[ack-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

[RedbackThomson]

/lifecycle frozen

This is definitely a request we have seen quite a few times, and solving this is part of our wider vision for managing EKS clusters using ACK

[james-callahan]

Has there been any progress/discussion on this? @RedbackThomson ? IMO it's a pretty critical use-case for the ACK IAM controller

[omri-shilton]

I was thinking about this feature as well. Is this a good idea? to manage the IRSA roles in the cluster itself. IMO each app should be the one to manage its irsa and not some external Terraform or CloudFormation code.

Can we get an official statement on this?