kiam icon indicating copy to clipboard operation
kiam copied to clipboard
verified publisher icon uswitch

Assign roles by ServiceAccount

Open jfoy opened this issue 7 years ago • 3 comments

Kubernetes gives us ServiceAccounts to assign identity (and authorization) to Pods, varying across namespaces. It would be awesome if we could annotate a ServiceAccount with an AWS role, and have kiam assign that AWS role to Pods that specify that ServiceAccountName.

This would let us use separate AWS roles for staging vs production namespaces without having to change the Deployment, and potentially gives a way to manage role accessibility per namespace using native k8s objects (no separate list per namespace).

jfoy avatar Aug 31 '18 18:08 jfoy

For the record, I'd love to see this happen. v3 changes the gRPC API around to make it easier to extend for this kind of thing. One thing we talked about was implementing something closer to the proposal we suggested in https://github.com/kubernetes/community/pull/2329.

If other people were up for implementing I'd be more than happy to have some kind of hangouts/chat about how we could make it happen but it's not a priority for us internally at the moment (and I don't get as much time to contribute these days).

pingles avatar Oct 08 '18 12:10 pingles

Sounds great. I'm UTC-0800; when is a good time to chat?

jfoy avatar Nov 09 '18 17:11 jfoy

https://github.com/aws/containers-roadmap/issues/23

jfoy avatar Feb 05 '19 20:02 jfoy