Update pod-id-role.adoc #1047
Update pod-id-role.adoc #1047
Conversation
Adding additional guidance for how customers using Pod Identity can further restrict a Pod Identity IAM Role trust policy by clarifying what Request Tags the AssumeRole calls provide and including an example.
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
| *Setting Conditions*:: | ||
| You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. When the Pod Identity IAM Role is assumed, it sends the following Request Tags: | ||
|
|
||
| * `eks-cluster-arn` |
There was a problem hiding this comment.
This is a copy of this list
Its a little easier for us to only have one copy of a list, but if its relevant to the example, that's OK.
There was a problem hiding this comment.
@antmatts do you think having it in the linked location is sufficient? or worth duplicating here?
There was a problem hiding this comment.
@geoffcline I think it's okay having it use the linked location so the list is maintained in one spot; but leave the example so users know how to use them in the Trust Policy.
There was a problem hiding this comment.
Side question, I don't see the referenced Pod ID ABAC doc showing in the public documentation. Is this doc supposed to be live already?
| For example, to restrict a Pod Identity IAM Role to a specific `ServiceAccount` and `Namespace`, the following Trust Policy with the added `Condition` policies can further restrict what can assume the role: |
There was a problem hiding this comment.
The double preposition is a tad awkward: For example, To restrict ...,
Writing around the second one, maybe more like:
For example, you can restrict which pods can assume the role a Pod Identity IAM Role to a specific
ServiceAccountandNamespacewith the following Trust Policy with the addedCondition:
Adding additional guidance for how customers using Pod Identity can further restrict a Pod Identity IAM Role trust policy by clarifying what Request Tags the AssumeRole calls provide and including an example.
Issue #, if available: No issue number
Description of changes: Customers have been asking how to restrict Pod Identity IAM Roles to ensure only specific EKS cluster, namespaces, and/or ServiceAccounts can assume the role. The default Trust Policy is very open in comparison to IRSA and we don't have any good public documentation to help clarify to customers how to achieve this. Validated and tested the RequestTags and syntax to confirm they will restrict the IAM Role access further then the default Trust Policy.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.