michaelmcallister
commented
3 years ago CC: @stefansedich (as you expressed some interest in https://github.com/uswitch/kiam/issues/462)
Closed michaelmcallister closed 8 months ago
michaelmcallister
commented
3 years ago CC: @stefansedich (as you expressed some interest in https://github.com/uswitch/kiam/issues/462)
michaelmcallister
commented
3 years ago @pingles are you able to assist with the review?
EDIT: or @Joseph-Irving? I see that you recently merged a PR
Joseph-Irving
commented
3 years ago Hi, We're not going to be adding any new features to Kiam going forward, we're actively moving away from it and using https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html instead. We don't have the time to thoroughly test these changes and we'd rather keep this repo stable for those who do still use it. Sorry if you have spent a lot of time on this, we would have said not to do it if you had reached out beforehand.
This change introduces the ability to set session tags for each pod, that then get passed through to the AssumeRole API call.
These session tags can then be referenced throughout your IAM policies. This allows you to use a single IAM role but apply it in different ways, for instance restricting users to certain resources based on a single tag.
Users can set 0 or more (up to 50) session tags with the following format:
for example:
This can then be referenced through your IAM Policy as
${aws:PrincipalTag/user}allowing for more generic IAM policies that can be influenced dynamically.In order to use this feature users will need to apply the
sts:TagSessionpermission in their trust policies.This fixes https://github.com/uswitch/kiam/issues/462