jtblin / kube2iam

kube2iam provides different AWS IAM roles for pods running on Kubernetes
BSD 3-Clause "New" or "Revised" License
1.99k stars 319 forks source link

AWS Trust Policy Behavior Change #352

Open transient1 opened 2 years ago

transient1 commented 2 years ago

Hi. I wanted to verify my understanding of the recent(ish) announcement about how AWS is changing the implicit ability for a role to assume itself as documented here.

The install instruction for kube2iam say to include this policy in the roles you attach to your nodes

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}

which clearly allows the nodes to assume a role. However in the AWS announcement they call out that a trust policy that sets those node roles as the principal is both "necessary and sufficient" to allow assumption of that role. I tested this by removing this policy from the nodes, and making sure workloads using the kube2iam annotation were still able to successfully make their API calls to AWS.

Before I go ahead and remove this policy from our instance profiles though I was hoping to verify that there isn't another purpose to this policy that I am missing. Thank you.