aws / eks-pod-identity-agent

Apache License 2.0
65 stars 11 forks source link

[Feature request] Support for custom Session Tags and Session Name #14

Open taraspos opened 3 months ago

taraspos commented 3 months ago

Feature request

Ability to configure Custom Session Tags and Custom Session Names for STS sessions created by EKS Pod Identities.

Context

Currently it's not possible to configure neither Custom Session Tags^1 nor Custom Session Name^2.

This makes it impossible to implement certain use-cases where I need to configure IAM policies based on custom IDs, rather than supported values of:

Also, existing session tags consume more than a half of STS packedPolicySize, would be great to be able to optionally disable some tags, to reduce policy size:

taer commented 1 month ago

This also helps with MSK's IAM policy. The MSK server gets angry and de-auths you when your session name changes. So your MSK connection is alive and well for the initial X hours. When pod-identtity-agent assumes a NEW STS role when the old expires, the session name changes, which causes MSK to kick you out. The error you get is about principals changing. The fix is to set AWS_ROLE_SESSION_NAME, which isn't possible w/ pod-identity

https://github.com/aws/aws-msk-iam-auth/issues/104

taer commented 1 month ago

linking to aws roadmap in case it helps https://github.com/aws/containers-roadmap/issues/2362