Secret access cross account without resource based policy

[prakashbalaji]

Referring to this issue in this thread - https://github.com/aws/secrets-store-csi-driver-provider-aws/issues/19

We are running into similar issue where we want IRSA to have cross account to secrets(Secrets stored in central security account) while the pod needs to have a IRSA role which also have access to other local resources within the account where cluster runs(workload account).

Is it possible to use secret store to use IRSA with cross account access without having to set policy at resource level.

We have lot of secrets to manage and it is quite a trouble to set access at each secret level. Any pointers would be appreciated.

Thanks

[jbct]

Sorry, @prakashbalaji - cross-account access is not possible without a resource policy. This is an IAM behavior in AWS and not something we can change in the CSI driver plugin.