Cross-account bucket access using chained AssumeRole

[mcwm6]

Is the driver currently capable for supporting cross-account bucket access using chained AssumeRole?

Ref: https://docs.aws.amazon.com/eks/latest/userguide/cross-account-access.html (Example Use chained AssumeRole operations)

I have a bucket in Account B, and pods in Account A will use a service account to first assume a (web identity) role with its own cluster's OIDC provider and then further assumes a role from Account B to access the bucket.

/triage support

[muddyfish]

The CSI Driver currently doesn't support using chained AssumeRole. However, we do support two other approaches described here: https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/docs/CONFIGURATION.md#cross-account-bucket-access (using cross account bucket policies, and using IRSA set up from a different account).

I'll leave this open as a feature request

[geocomm-shenningsgard]

@muddyfish does the CSI Driver support accessing an S3 bucket in another account via a VPC interface/gateway endpoint? I know this is possible via the mountpoint-s3 library itself, but didn't see any documentation on setting it up via the CSI Driver.

[muddyfish]

It should do - please check the Mountpoint documentation for details.

Please create a separate issue if you have problems with it, as VPC/gateway support is off topic for the OP's question.