Open emboss64 opened 2 months ago
Hi @emboss64 , we cannot modify the AmazonEFSCSIDriverPolicy policy to allow arbitrary tags on the access point. This could be a security risk and lead to privilege escalation, as tags are often used for controlling access to resources. If you choose to do this, you'll need to create a separate policy.
I know, that's why I suggested adding proper documentation that adding tags also requires the use of an additional policy
/kind bug
What happened? When deploying the latest version of the helm chart (probably happening with any other version as well) and specifying any additional tags for
controller.tags
this tags are added to the AccessPoint. As theAmazonEFSCSIDriverPolicy
only allows theelasticfilesystem:TagResource
andelasticfilesystem:CreateAccessPoint
for the tagefs.csi.aws.com/cluster
you get an AccessDenied.If you then add an additional custom policy to the role with the following permissions it works:
What you expected to happen? Make the policy allow this actions or document the need of a custom policy if tags are specified
How to reproduce it (as minimally and precisely as possible)? Just add a custom tag to the controller:
Please also attach debug logs to help us better diagnose In the pod you get:
In cloudtrail for the
CreateAccessPoint
event you get:and once sort that that you get: