Support regexp/prefix match for `iam.amazonaws.com/role` annotation

[discordianfish]

Hi,

I'm using cloudformation to create my IAM roles. I can't give them stable names because cloudformation has to be able to dynamically generate the names if you want a way to update the roles (see docs).

Currently I need to apply my cfn template and copy the generated role names to my k8s manifests.

The generated name look like this: [stack-name]-[logical-resource-name]-[random-string], for example int-site-ExtDNSRole-1XGYNGL4GST7Y

It would be great if kiam supported prefix or regexp based match, so I could use a annotation like this to allow my pod to assume this role: iam.amazonaws.com/role: "int-site-ExtDNSRole-.*"

[pingles]

Interesting- would there only ever be one role that matches the regexp, or could multiple roles exist at the same time? If there were more than one, how should Kiam figure out which one should be returned?

[pingles]

I/we use Terraform so we have consistent role names- hadn't anticipated the need for dynamic matching :)

[pingles]

My only general worry is the time that AWS calls take- to support regexp'ed roles Kiam would likely need to call list-roles to retrieve all roles repeatedly and it'd likely need the annotation to use a full arn-based prefix (so that it could load/cache roles within a specific AWS account).

It could probably be added relatively safely but I'm not sure whether it would perform sufficiently well as the load a specific role path. It'd be interesting to add (alongside work to consolidate metrics with Prometheus) to see whether it works well enough, and potentially added with some kind of feature flag.

[discordianfish]

would there only ever be one role that matches the regexp, or could multiple roles exist at the same time?

The names are prefixed by the stack name and they have to be unique within a region, so there shoudn't be multiple roles at the same time for the same logical role, except during stack updates.

My only general worry is the time that AWS calls take- to support regexp'ed roles Kiam would likely need to call list-roles to retrieve all roles repeatedly and it'd likely need the annotation to use a full arn-based prefix (so that it could load/cache roles within a specific AWS account).

Yes, unfortunately there isn't a way to tag the role and use that to retrieve them. So yes to everything you said. :)