Open smriti0321 opened 9 months ago
@kfirpeled Can someone from team provide other examples of when user would want to populate the Role ARN and not leave it empty. Thanks.
When it comes to the credentials part, @oren-zohar 's team is the best fit to answer this one.
I have no actual knowledge about use cases.
But reading the code:
// Assume IAM role if iam_role config parameter is given
if beatsConfig.RoleArn != "" {
addAssumeRoleProviderToAwsConfig(beatsConfig, &awsConfig)
}
In case a roleArn is provided we are going to assume it, instead of using the role configured in the EC2 instance.
Therefore I assume it's a safety net for cases the EC2 instance role can't be changed. Why could not be changed? As mentioned, maybe the machine is used for multiple things. Or maybe it's a company policy to not attach roles to instances.
Current behaviour in CSPM AWS- Manual Deployment workflow has recommendation to leave Role ARN as empty, whereas the field is visible to user. After discussing with team internally, quoting few examples in following cases, where it will be relevant to fill in Role ARN:
In documentation we can highlight these cases as examples when user would want to populate the Role ARN and not leave it empty.
Screenshot of the existing workflow: