search

jtblin / kube2iam

kube2iam provides different AWS IAM roles for pods running on Kubernetes
BSD 3-Clause "New" or "Revised" License
1.97k stars 318 forks source link

Trust Relationship example in readme is too wide #322

Open chinskiy opened 2 years ago

chinskiy commented 2 years ago

Greetings!

Trust relationship example provided in the README.md

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/kubernetes-worker-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

contain two statements: the first statement allows any EC2 to assume this role and the second allows it for arn:aws:iam::123456789012:role/kubernetes-worker-role

After checking an example and trying different trust relationships it seems like in my case it's enough to have only the second part of the trust relationships from an example.

That's why I'm curious to ask about the reasoning of the first statement in this policy because the goal is only to allow Kubernetes worker role to assume other roles, but provided example contradicts the principle of least privileges by allowing to assume the role by any EC2.

Thanks!

nitinsh99 commented 1 year ago

Any update on this? I can also confirm that only node needs to be whitelisted and service allow is not needed.