fix!: Irsa additional assumable principals

terraform-aws-modules / terraform-aws-iam

Terraform module to create AWS IAM resources 🇺🇦

https://registry.terraform.io/modules/terraform-aws-modules/iam/aws

Apache License 2.0

787 stars 997 forks source link

fix!: Irsa additional assumable principals #515

Closed sandeshgrangdan closed 2 weeks ago

sandeshgrangdan commented 1 month ago

Description

Enhanced the iam-role-for-service-accounts-eks module to support additional trusted principals including both IAM roles and users.

Motivation and Context

To allow an IRSA role from one service to be assumed by an IRSA role in another service, supporting cross-service role assumption.

Breaking Changes

None

How Has This Been Tested?

[X] I have updated at least one of the examples/* to demonstrate and validate my change(s)
[X] I have tested and validated these changes using one or more of the provided examples/* projects
[X] I have executed pre-commit run -a on my pull request

bryantbiggs commented 1 month ago

To allow an IRSA role from one service to be assumed by an IRSA role in another service, supporting cross-service role assumption.

Why?

sandeshgrangdan commented 1 month ago

To allow an IRSA role from one service to be assumed by an IRSA role in another service, supporting cross-service role assumption.

Why?

I need to generate temporary credentials from an IRSA role that will be used by external applications. To manage these credentials, I have a separate key rotation application with its own role or user that will update the temporary credentials generated by the IRSA role.

bryantbiggs commented 2 weeks ago

thank you for that info - unfortunately, I don't think that is a use case we are going to support here