[EKS] [request]: Ability to extract substring from ${OIDC_PROVIDER}:sub variable when using IRSA

[yarozen]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Ability to extract substring from ${OIDC_PROVIDER}:sub variable when using IRSA

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I want to provide each pod with access to specific folder in S3 bucket where the folder name is automatically derived from the identity of the pod or service account name that is assigned to the pod. This way I can use a single role & policy without the need to create them per pod. when using the ${OIDC_PROVIDER}:sub variable in IAM policy associated with the assumed role, the returned value looks like this system:serviceaccount:<my-namespace>:<my-service-account>. So all the folder names will have to have this structure. If I was able to obtain just the namespace or the service account I was able to name the S3 folders like I initially wanted. If I could obtain a substring of the sub variable that would have been great. something like this:

"${OIDC_PROVIDER}:sub": "system:serviceaccount:<my-namespace>:<my-service-account>"
"${OIDC_PROVIDER}:sub:namespace": "<my-namespace>"
"${OIDC_PROVIDER}:sub:serviceaccount": "<my-service-account>"

Are you currently working around this issue? I need to create a dedicated role and policy per service account

[oshmyrko]

It would be really nice to have such key in AWS global condition context keys. Currently there are only aws:FederatedProvider key, which only allows to limit access to AWS services like S3 by identity provider ARN.

[peleduri]

+1

[popen2]

Would it be possible to maybe add this information to the session tags of the assumed role session? References:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
• https://aws.amazon.com/blogs/security/how-to-implement-saas-tenant-isolation-with-abac-and-aws-iam/

There could be default session tags added automatically by EKS, or allow service account annotations to inject this information. For example this service account:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: example
  namespace: example
  annotations:
    eks.amazonaws.com/role-arn: <role-arn>
    eks.amazonaws.com/session-tag/Tenant:ID Tenant1
    eks.amazonaws.com/session-tag/Env: Staging

the ${aws:PrincipalTag/TenantID} and ${aws:PrincipalTag/Env} variables would be usable in the attached role policy.