Closed fatmcgav closed 1 month ago
this looks like you are looking for the https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-role-for-service-accounts-eks instead - using that sub-module, is this change still warranted? I'm thinking no
Hey @bryantbiggs ...
So I think this change is still valid, as I'm using session tags in combination with an external OIDC provider, in this case env0. Docs are here: https://docs.env0.com/docs/oidc-with-aws#custom-claims-with-aws-session-tags-optional
This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days
@bryantbiggs / @antonbabenko Any chance of a review on this one? π
This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days
ping
as i understand, it also covers https://github.com/terraform-aws-modules/terraform-aws-iam/issues/426 in different way
@bryantbiggs I've updated this PR following the discussion we had on https://github.com/terraform-aws-modules/terraform-aws-iam/pull/479#issuecomment-2203812126
@bryantbiggs OK, I've tweaked the PR to make it more generic.
I did make one tweak to your suggestions, which was to call the variable polcy_conditions
rather than prvovider_conditions
, as I think the former is closer to the docs.
PTAL π
This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days
Apologies, just noticed the failed pre-commit check... Have fixed that now so should be good π€
This PR is included in version 5.44.0 :tada:
I'm going to lock this pull request because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
This commit adds support to the
iam-assumable-role-with-oidc
module for adding policy conditions constraints [1]Also add an example showing use with
aws:RequestTag
session tag match [2].[1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
Motivation and Context
AWS STS session tags allow for additional control when using the
AssumeRoleWithWebIdentity
authentication call.Breaking Changes
None
How Has This Been Tested?
examples/*
to demonstrate and validate my change(s)examples/*
projectspre-commit run -a
on my pull request