search

uswitch / kiam

Integrate AWS IAM with Kubernetes
Apache License 2.0
1.15k stars 238 forks source link

Multiple roles #89

Closed paalkr closed 6 years ago

paalkr commented 6 years ago

Hi

How can I attach multiple roles to a POD using Kiam?

    metadata:
      annotations:
        iam.amazonaws.com/role:
        - role1
        - role2

obviously does not work

    metadata:
      annotations:
        iam.amazonaws.com/role: role1
        iam.amazonaws.com/role: role2

will only assign role2, as expected

pingles commented 6 years ago

@paalkr Unfortunately it's not possible to assume multiple roles. Part of the protocol that Kiam intercepts is discovering which role should be associated to a Pod (like the role associated to an EC2 instance).

If you want to assume multiple roles I'd suggest you associate a role to your Pod which lets the Pod call sts:AssumeRole and have your application switch between roles before it makes API calls.

I'm going to close this for now as I don't think it would be possible for Kiam (or another tool) to possibly support this. I'm happy to talk more about what you're trying to do (and how you might be able to do it) though.

paalkr commented 6 years ago

Thanks

I'm aware that an EC2 instance cannot assume more than one AIM Role (or actually Role Profile) at a time. I just wondered if that was possible to work around in K8s. I have setup the managed policy / role combinations I need for my various deployments - all good :)