Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
Make it possible to provide session tags to use when assuming the task IAM role.
Which service(s) is this request for?
ECS/Fargate
EKS?
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We're trying to build a multi-tenant system that involves running ECS tasks on behalf of tenants. Those tasks should only have access to S3 data of their tenant. Creating an IAM role per tenant is not feasible as it quickly runs into IAM quotas, so we'd like to use ABAC to control S3 access. However, it is not currently possible in ECS, because we can't provide session tags for ECS to use when assuming the task role.
Are you currently working around this issue?
Our "scheduler" assumes the task role before running an ECS task and passes the resulting credentials through environment variables. As a result, we also struggle with 1 hour hard limit on duration of chained sessions.
It would be much easier if there was a way to specify session tags on task definitions and/or in RunTask request, or at least a way to forward session tags from the principal that runs the task.
Similarly, it would be nice if IRSA in EKS supported specifying session tags through service account and/or pod annotations, for all the same reasons.
Finally, I believe it would also be useful in Lambda, although IIUC it's the wrong place to raise feature requests for Lambda.
Community Note
Tell us about your request Make it possible to provide session tags to use when assuming the task IAM role.
Which service(s) is this request for?
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We're trying to build a multi-tenant system that involves running ECS tasks on behalf of tenants. Those tasks should only have access to S3 data of their tenant. Creating an IAM role per tenant is not feasible as it quickly runs into IAM quotas, so we'd like to use ABAC to control S3 access. However, it is not currently possible in ECS, because we can't provide session tags for ECS to use when assuming the task role.
Are you currently working around this issue? Our "scheduler" assumes the task role before running an ECS task and passes the resulting credentials through environment variables. As a result, we also struggle with 1 hour hard limit on duration of chained sessions.
It would be much easier if there was a way to specify session tags on task definitions and/or in
RunTaskrequest, or at least a way to forward session tags from the principal that runs the task. Similarly, it would be nice if IRSA in EKS supported specifying session tags through service account and/or pod annotations, for all the same reasons.Finally, I believe it would also be useful in Lambda, although IIUC it's the wrong place to raise feature requests for Lambda.
Additional context Looks like this is possible in Sagemaker.