taer
commented
2 months ago This also helps with MSK's IAM policy. The MSK server gets angry and de-auths you when your session name changes. So your MSK connection is alive and well for the initial X hours. When pod-identtity-agent assumes a NEW STS role when the old expires, the session name changes, which causes MSK to kick you out. The error you get is about principals changing. The fix is to set AWS_ROLE_SESSION_NAME, which isn't possible w/ pod-identity
Feature request
Ability to configure Custom Session Tags and Custom Session Names for STS sessions created by EKS Pod Identities.
Context
Currently it's not possible to configure neither Custom Session Tags^1 nor Custom Session Name^2.
This makes it impossible to implement certain use-cases where I need to configure IAM policies based on custom IDs, rather than supported values of:
Also, existing session tags consume more than a half of STS
packedPolicySize, would be great to be able to optionally disable some tags, to reduce policy size: