che icon indicating copy to clipboard operation
che copied to clipboard
verified publisher icon eclipse-che

Add ability to annotate Service Account

Open NateLove opened this issue 2 years ago • 7 comments

Is your enhancement related to a problem? Please describe

There is a feature in OpenShift to allow pods to interact with AWS resources if configured with the specific annotation on the service account associated with the pod. This would allow developers to deploy and interact with AWS resources without having to login to AWS when using Dev Spaces in this instance.

Describe the solution you'd like

There is currently a feature which allows annotations for deployments and services through the devfile, the solution I would like is to add a config for adding an annotation to the service account that is created.

Describe alternatives you've considered

No response

Additional context

No response

NateLove avatar Apr 06 '23 14:04 NateLove

IAM roles for ServiceAccounts AWS documentation.

Devfile podOverrides can be used to annotate Pods but not ServiceAccounts.

Currently (since v7.58) it's possible to using a specific service account per namespace (i.e. per user). The namespaces service accounts can be annotated (manually) and that would address this issue.

Recently (since v7.64) it's possible to specify a ServiceAccount token volume projection. That's a new Kubernetes feature (v1.20) allowing to federate with external identity provider. But that doesn't look to be helpful for AWS IAM.

A solution to avoid manual creation of the SA and the annotations is adding a new CheCluster field, a correponding field in the DWOC and implement the DW controller feature that applies the annotations to the service accounts:

spec:
  devEnvironments:
    serviceAccountAnnotations:
      eks.amazonaws.com/role-arn: 'arn:aws:iam::111122223333:role/my-role'

l0rd avatar Apr 26 '23 20:04 l0rd

In AWS, we are using the AWS-built solution for assuming roles. https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

etsauer avatar May 10 '23 12:05 etsauer

The solutions that I proposed above (manually specify the SA annotation or specify the annotation in CheCluster CR) don't work for this use case.

The IAM role is specific to the application (git repository):

  • different workspaces of the same developer may have different IAM roles
  • workspaces created from the same repository but by different developers should have the same IAM role

l0rd avatar May 10 '23 12:05 l0rd

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

che-bot avatar Nov 06 '23 00:11 che-bot

/remove-lifecycle stale

l0rd avatar Nov 06 '23 20:11 l0rd

A possible solution to investigate here are AWS Short Lived Credentials:

  • https://github.com/openshift/cloud-credential-operator/blob/master/docs/sts.md
  • https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html

l0rd avatar Nov 06 '23 20:11 l0rd

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

che-bot avatar May 04 '24 08:05 che-bot